How UAC Affects Admin Shares, PsExec and More
User Account Control (UAC) is a new security component since Windows Vista and Windows Server 2008. It helps prevent potentially harmful programs from making changes to computer by notifying user before administrative rights are acquired by programs or user actions.
However, this applies to local user accounts of Administrators group not only on local machine, but restrict them from remote sessions as well. That is called UAC remote restrictions. (Domain user accoutns are not affected by UAC remote restrictions.)
When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection by using the net use * \\remotecomputer\Share$
command, for example, they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.
-
Or we may configure registry to allow local user accounts of Administrators group from remote sessions to have elevation potential to be a full administrator using the following command:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Note: This change has security implications as it allows the possibility to do "loopback" attacks to bypass UAC confirmation.
-
Or disable UAC altogether (not recommended):
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Note: This change has security implications as use of administrator rights is not controlled at all.
A system restart is required for new configuration to take effect.
With this fix, we're now able to access \\example.com\C$
, \\example.com\ADMIN$
, etc., if these admin shares are enabled.
PsExec
can also work now.
Registry Editor (regedit.exe
) is now able to expand HKEY_LOCAL_MACHINE hive on remote machines as well.
Cheers!