Sign in to follow this  
Followers 0
turb0z

Bypass UAC by using Send()

12 posts in this topic

Hello, I'm writing an extremely basic script that writes Registry elements at logon.

Unfortunately, I can't write these elements without UAC's approval, so I'm in a bind.

To give a short description of what I"m doing:

I have a cybercafe image I'm building. This cafe build has automatic login configured. I set the following values:

RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "ForceAutoLogon", "REG_SZ", "0")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon", "REG_SZ", "1")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultUserName", "REG_SZ", "cybercafe")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultPassword", "REG_SZ", "")

If I don't set this at startup, the automatic logon fails at next reboot. I'm sure there's some hex value out there that I'm not setting, but my research online has turned up nothing and the very same registry changes work permanently for XP, so I've chalked it up to yet another Vista "bug".

In any case, here's what I'm preceding these lines with:

#RequireAdmin
WinWait("User Account Control")
Send("mypassword {ENTER}")

Unfortunately UAC halts the application from running, it's not just a dialog where AutoIt can type in the password. So now I'm stuck.

I've tried running a wsf using the following as an admin:

RunAsWait('cafeadmin','.','mypassword',1,'wscript c:\windows\1_auto_login.wsf')

I keep getting a script error stating that access is denied.

If someone could help me on this, that would be fantastic. I'm going to keep digging but at this point I'm about to pull my hair out.

Share this post


Link to post
Share on other sites



Not being able to use send() on UAC windows is by design. That prevents malware from being able to simply click allow. I don't have a vista box accessible, but there's an option for UAC where it will draw UAC windows as standard windows, and not as secure windows. This also makes UAC usable if you're accessing the machine with VNC.

No idea what's wrong with your runwait... I tried it using XP and it seems to work.

Share this post


Link to post
Share on other sites

I am also really stumped why my RunWait won't work. I use it to to install another application as an admin and it's working just fine.

I'll do some snooping, let me know if you remember where that setting is to prompt UAC as a standard window.

Share this post


Link to post
Share on other sites

More information on "secure desktop" as they call it:

http://www.howtogeek.com/howto/windows-vis...-windows-vista/

http://www.askvg.com/how-to-tweak-user-acc...c-home-premium/

Keep in mind that disabling "secure desktop" decreases the security of the system, and "send"ing your password to the UAC box is also insecure.

I would investigate what's wrong with the runas. Is that script just to add the registry entry? What if you run the script as a different type (autoit, BATCH, etc)

I'd also look into what's preventing the auto login from working properly. Any of this help?

http://shellrevealed.com/blogs/shellblog/a...-autologon.aspx

http://www.onetipaday.com/2007/05/27/how-t...tup-with-vista/

Apparently there's a "AutoLogonCount" key that will potentially limit the number of times it can autologon.

Share this post


Link to post
Share on other sites

hey here's a pretty good solution. Use Norton's version of vista's UAC.

It comes with a 'Don't ask me again' option, meaning the next time you run that app you won't be bothered with the UAC screen.

Here's wat the UAC looks like:

Posted Image

Here's the download link: ftp://ftp.symantec.com/misc/sabu/norton_labs/NUACx86.exe

I just made a quick autoit app that looks like this:

#RequireAdmin
MsgBox(0,'Works', 'Works')

compiled it ran it once, checked the 'Don't ask me again' box, ran it a second time, no UAC prompt and displayed the message box. :)

Hope this helps.


"The quieter you are, the more you are able to hear..."

My AppsUSB Finder

Share this post


Link to post
Share on other sites

Thanks for all the great help guys, you've all been very helpful.

I'll look over the information given and let you guys know what I come up with :)

Share this post


Link to post
Share on other sites

Please do keep us posted.

I don't get paid to be here, but knowing I solved someone's problem is payment enough.

Share this post


Link to post
Share on other sites

It appears that the AutoLogonCount registry key has fixed the problem. I was also not using a password (which I had other hurdles to overcome JUST to have no password). So, I decided to finally put a password in and also added that AutoLogonCount.

I have to wait and see how the system does over the next few days to know if it's fixed for sure.

Thanks for all the responses again. I've been using AutoIt for a short time but I've already found tons of uses for it.

Share this post


Link to post
Share on other sites

The Autologoncount will decrement every time the computer is restarted, so set it to an absurdly high number.

It amuses me how the uses I come up with for AutoIT are completely unrelated to each other.

Share this post


Link to post
Share on other sites

umm...this may seenm stupid but why dont you just disable UAC at control pannel?

think about doing it to 500 or more computers.

Share this post


Link to post
Share on other sites

think about doing it to 500 or more computers.

Its possible to do if you are running those machines in a domain environment. All it would take is a couple of setting changes in the GP.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0