UAC

Overview
Syntax
Remote Execution
Output
Use Cases
Example Output
Remote Execution
Detection Considerations
UAC Settings Explained
Related Commands

Overview

The UAC command enumerates User Account Control (UAC) settings from the registry. UAC is a Windows security feature that helps prevent unauthorized changes by prompting for elevation. Understanding UAC configuration is crucial for assessing privilege escalation difficulty and planning bypass techniques.

Syntax

Seatbelt.exe UAC

Remote Execution

Seatbelt.exe UAC -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns UAC configuration:

UAC enabled/disabled status
Consent prompt behavior for administrators
Consent prompt behavior for standard users
Admin Approval Mode status
Elevation prompt for standard users
Secure desktop for elevation prompts
Virtualization enabled status

Use Cases

Red Team
Blue Team

Assess UAC bypass difficulty
Determine elevation prompt behavior
Plan privilege escalation approach
Identify UAC auto-elevation opportunities
Check if UAC is disabled

Example Output

====== UAC ======

ConsentPromptBehaviorAdmin    : 5 (Prompt for consent for non-Windows binaries)
EnableLUA (UAC Enabled)       : 1 (Enabled)
LocalAccountTokenFilterPolicy : 0 (Filtering enabled)
FilterAdministratorToken      : 0 (Default RID 500 admin filtering)

ConsentPromptBehaviorUser     : 3 (Prompt for credentials)
EnableInstallerDetection      : 1 (Enabled)
ValidateAdminCodeSignatures   : 0 (Disabled)
EnableSecureUIAPaths          : 1 (Enabled)
EnableUIADesktopToggle        : 0 (Disabled)
PromptOnSecureDesktop         : 1 (Enabled)
EnableVirtualization          : 1 (Enabled)

[*] UAC is ENABLED with secure configuration
[*] Elevation will prompt on secure desktop

Example with weak UAC:

====== UAC ======

ConsentPromptBehaviorAdmin    : 0 (Elevate without prompting)
EnableLUA (UAC Enabled)       : 0 (Disabled) [!]
LocalAccountTokenFilterPolicy : 1 (Filtering disabled) [!]

[!] WARNING: UAC is DISABLED
[!] WARNING: Remote UAC restrictions disabled

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - reads UAC registry settings.

Registry Access: Queries HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
WMI Activity: Remote execution generates WMI events

UAC Settings Explained

ConsentPromptBehaviorAdmin Values

0 - Elevate without prompting (least secure) 1 - Prompt for credentials on secure desktop 2 - Prompt for consent on secure desktop 3 - Prompt for credentials 4 - Prompt for consent 5 - Prompt for consent for non-Windows binaries (default)

ConsentPromptBehaviorUser Values

0 - Automatically deny elevation requests 1 - Prompt for credentials on secure desktop (default) 3 - Prompt for credentials

LocalGroups - Local admin group membership
TokenPrivileges - Current token privileges
AppLocker - AppLocker configuration
LocalGPOs - Local Group Policy settings

AppLocker LAPS

⌘I

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

Overview

Syntax

Remote Execution

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

UAC Settings Explained

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

​Overview

​Syntax

​Remote Execution

​Output

​Use Cases

​Example Output

​Remote Execution

​Detection Considerations

​UAC Settings Explained

​Related Commands

Overview

Syntax

Remote Execution

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

UAC Settings Explained

Related Commands