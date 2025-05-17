Stories
Skirting User Account Control on Windows 10 With fodhelper.exe

posted by Fnord666 on Thursday May 25, @11:08PM
from the another-day-another-UAC-bypass dept.
Security

butthurt writes:

Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.

Responsible for discovering this new UAC bypass method is a German student that goes online by the name of Christian B., currently working on his master's thesis, centered on UAC bypass techniques.

The technique he came up with is a variation on another Windows 10 UAC bypass method discovered by security researcher Matt Nelson in August 2016.

While Nelson's method used the built-in Event Viewer utility (eventvwr.exe), Christian's UAC bypass uses the fodhelper.exe file, located at:

C:\Windows\System32\fodhelper.exe

If this file name isn't familiar to you, this is the window that appears when you press the "Manage optional features" option in the "Apps & features" Windows Settings screen.

Both techniques work in the same way and take advantage of what's called "auto-elevation," which is a state that Microsoft assigns to trusted binaries (files signed with Microsoft certificate, and located in trusted locations such as "C:\Windows\System32").

Just like eventvwr.exe, fodhelper.exe is also a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution, or when other processes spawn from the fodhelper.exe parent process.

The technique employs changing the value of a registry key to contain the command to be executed. Since fodhelper.exe is trusted, the command is executed without the UAC prompt. The article continues with how to avoid the exploit. First off, do NOT run as an Administrator by default. Second, set the UAC level to "Always notify."

Bleeping Computer

Original Submission


Skirting User Account Control on Windows 10 With fodhelper.exe
  • (Score: 2) by Snotnose on Thursday May 25, @11:35PM (2 children)

    by Snotnose (1623) on Thursday May 25, @11:35PM (#515749)

    I know it's fun to bash Microsoft but this shows security is hard. Windows takes the heat because it has the most market penetration. Linux security would also suck if it had anywhere near 50% saturation. I have to wonder about the Linux servers, are they pretty secure, does nobody care, or don't they hold any information hackers care about?

    • (Score: 2) by ikanreed on Thursday May 25, @11:43PM

      by ikanreed (3164) on Thursday May 25, @11:43PM (#515751)

      Then there was that time that any user with steam installed could have any browser page redirect automatically run arbitrary code because the steam:// url scheme was completely stupid to embed at the system level.

      I don't actually know if they fixed that one yet or not.

    • (Score: 0) by Anonymous Coward on Thursday May 25, @11:45PM

      by Anonymous Coward on Thursday May 25, @11:45PM (#515752)

      Security *is* hard. No doubt about that!
      But Linux does cover more than 50% of all computing devices (think phones, servers and your hipster friends running Ubuntu) and easily surpasses Windows' install-base. I think its market penetration is pretty in-everyones-face and I would say an even more lucrative target than your average Win10 user's machine since servers are more powerful which is useful if you want to hijack compute time. Servers also hold (and have access to) a lot more interesting data on a lot more users and more business-critical data that the company would likely be willing to pay for if it ever gets crypto-ransommed.

      So don't be too quick with the whole "it's because Microsoft Windows is so widely used and Linux isn't"

