{
	"id": "d2cdb2c5-19dc-4dae-9603-a66c2dddb4fe",
	"created_at": "2026-04-06T00:08:35.593029Z",
	"updated_at": "2026-04-10T03:21:58.756939Z",
	"deleted_at": null,
	"sha1_hash": "95ae35f7532ea8581701d695dcf4524e8bfc048a",
	"title": "GitHub - hfiref0x/UACME: Defeating Windows User Account Control",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107805,
	"plain_text": "GitHub - hfiref0x/UACME: Defeating Windows User Account\r\nControl\r\nBy hfiref0x\r\nArchived: 2026-04-05 17:23:58 UTC\r\nbuild ppaassssiinngg\r\n vviissiittoorrss 113355..338822\r\nDefeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. This project\r\ndemonstrates various UAC bypass techniques and serves as an educational resource for understanding Windows\r\nsecurity mechanisms.\r\n⚠️ Warning: This tool demonstrates security vulnerabilities that could be exploited maliciously. Use\r\nresponsibly and only in controlled environments.\r\nSystem Requirements\r\nOperating Systems: Windows 7/8/8.1/10/11 (x86-32/x64, client, some methods however works on server\r\nversion too)\r\nUser Account: Administrator account with UAC set on default settings\r\nUsage\r\nRun the executable from command line using the following syntax:\r\nakagi32.exe [Method_Number] [Optional_Command]\r\nor\r\nakagi64.exe [Method_Number] [Optional_Command]\r\nParameters:\r\nMethod_Number: Number corresponding to the UAC bypass method (see Methods List below)\r\nOptional_Command: Full path to an executable file to run with elevated privileges\r\nIf omitted, the program will launch an elevated command prompt\r\n(%systemroot%\\system32\\cmd.exe)\r\nExamples:\r\nhttps://github.com/hfiref0x/UACME\r\nPage 1 of 5\n\nakagi32.exe 23\r\nakagi64.exe 61\r\nakagi32.exe 23 c:\\windows\\system32\\calc.exe\r\nakagi64.exe 61 c:\\windows\\system32\\charmap.exe\r\nNote: Since version 3.5.0, all previously \"fixed\" methods are considered obsolete and have been\r\nremoved. If you need them, use v3.2.x branch.\r\nKeys (click to expand/collapse)\r\nImportant Notes:\r\nMethod 30, 63 and later are implemented only in x64 version\r\nMethod 30 requires x64 because it exploits WOW64 subsystem feature\r\nMethod 55 is included primarily for educational purposes and may not be reliable\r\nMethod 78 requires that the current user account password is not blank\r\nWarning\r\n⚠️ Important Security and Usage Information:\r\nThis tool demonstrates only publicly known UAC bypass methods used by malware. It reimplements\r\nsome techniques in different ways to improve upon original concepts.\r\nNot intended for antivirus testing and not guaranteed to work in environments with aggressive security\r\nsoftware. Use with active antivirus at your own risk.\r\nMany antivirus solutions may flag this tool as a \"HackTool\" - this is expected behavior due to its\r\ncapabilities.\r\nClean up after usage: If running on a production system, ensure you remove all program artifacts\r\nafterward. See source code for details about files dropped to system folders.\r\nMost methods were developed primarily for x64 systems. While many can work on x86-32 with minor\r\nadjustments, 32-bit support is not a focus of this project.\r\nFor an official Microsoft explanation on why UAC bypasses still exist, see: Microsoft's stance on UAC\r\nWindows 10 support and testing policy\r\nUACMe is tested only with LSTB/LTSC variants (1607/1809) and the current RTM-1 versions\r\nFor example: if the current version is 2004, it will be tested on 2004 (19041) and the previous 1909\r\n(18363)\r\nInsider builds are not supported as methods may be fixed in preview releases\r\nProtection Measures\r\nThe most effective protection against UAC bypass techniques is using an account without administrative\r\nprivileges.\r\nhttps://github.com/hfiref0x/UACME\r\nPage 2 of 5\n\nBuild instructions\r\nUACMe is written in C and requires Microsoft Visual Studio 2019 or later to build from source.\r\nPrerequisites\r\nIDE: Microsoft Visual Studio 2019 or 2022\r\nSDK Requirements:\r\nWindows 8.1 or Windows 10 SDK (tested with 19041 version)\r\nNET Framework SDK (tested with 4.8 version)\r\nBuild Steps\r\n1. Configure Platform ToolSet (Project-\u003eProperties-\u003eGeneral):\r\nFor Visual Studio 2019: Select v142\r\nFor Visual Studio 2022: Select v143\r\n2. Set Target Platform Version (Project-\u003eProperties-\u003eGeneral):\r\nFor v140: Select 8.1 (Windows 8.1 SDK must be installed)\r\nFor v141 and above: Select 10\r\n3. Build Process:\r\nCompile payload units\r\nCompile Naka module\r\nEncrypt all payload units using Naka module\r\nGenerate secret blobs for these units using Naka module\r\nMove compiled units and secret blobs to the Akagi\\Bin directory\r\nRebuild Akagi\r\nNote: Compiled binaries are not provided and will never be provided. This serves as a barrier against\r\nmalicious usage and helps maintain the educational purpose of this project.\r\nLegal Disclaimer\r\nThis tool is provided for educational and research purposes only\r\nWe do not take any responsibility for this tool being used in malicious activities\r\nWe have no affiliation with any \"security company\" using this code for commercial activities\r\nThis GitHub repository (hfiref0x/UACME) is the only genuine source for UACMe code\r\nSupport\r\nIf you find this project interesting, you can buy me a coffee\r\nBTC (Bitcoin): bc1qzkvtpa0053cagf35dqmpvv9k8hyrwl7krwdz84q39mcpy68y6tmqsju0g4\r\nhttps://github.com/hfiref0x/UACME\r\nPage 3 of 5\n\nReferences\r\nWindows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html\r\nMalicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf\r\nJunfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/\r\nBeyond good ol' Run key, series of articles, http://www.hexacorn.com/blog\r\nKernelMode.Info UACMe thread, https://www.kernelmode.info/forum/viewtopicf985.html?f=11\u0026t=3643\r\nCommand Injection/Elevation - Environment Variables Revisited,\r\nhttps://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited\r\n\"Fileless\" UAC Bypass Using eventvwr.exe and Registry Hijacking,\r\nhttps://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\nBypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/\r\nUsing IARPUninstallStringLauncher COM interface to bypass UAC,\r\nhttp://www.freebuf.com/articles/system/116611.html\r\nBypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/\r\n\"Fileless\" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\r\nUAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/\r\nExploiting Environment Variables in Scheduled Tasks for UAC Bypass,\r\nhttps://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html\r\nFirst entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\r\nReading Your Way Around UAC in 3 parts:\r\n1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html\r\n2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html\r\n3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html\r\nResearch on CMSTP.exe, https://msitpros.com/?p=3960\r\nUAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.html\r\nUAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\r\nYet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass\r\nUAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/\r\nAccessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html\r\nFileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html\r\nCalling Local Windows RPC Servers from .NET, https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html\r\nhttps://github.com/hfiref0x/UACME\r\nPage 4 of 5\n\nMicrosoft Windows 10 UAC bypass local privilege escalation exploit,\r\nhttps://packetstormsecurity.com/files/155927/Microsoft-Windows-10-Local-Privilege-Escalation.html\r\nUACMe 3.5, WD and the ways of mitigation, https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html\r\nUAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\r\nUtilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses\r\nMSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass\r\nUAC bypass through .Net Deserialization vulnerability in eventvwr.exe,\r\nhttps://twitter.com/orange_8361/status/1518970259868626944\r\nAdvanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM\r\ndirectly, http://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html\r\nBypassing UAC with SSPI Datagram Contexts, https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html\r\nMitigate some Exploits for Windows’® UAC, https://skanthak.hier-im-netz.de/uacamole.html\r\nAuthors\r\n(c) 2014 - 2026 UACMe Project\r\nSource: https://github.com/hfiref0x/UACME\r\nhttps://github.com/hfiref0x/UACME\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://github.com/hfiref0x/UACME"
	],
	"report_names": [
		"UACME"
	],
	"threat_actors": [],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95ae35f7532ea8581701d695dcf4524e8bfc048a.pdf",
		"text": "https://archive.orkl.eu/95ae35f7532ea8581701d695dcf4524e8bfc048a.txt",
		"img": "https://archive.orkl.eu/95ae35f7532ea8581701d695dcf4524e8bfc048a.jpg"
	}
}