UAC unauthorized software installation issue

Copper Contributor

In Windows 10 and 11 operating systems;

--

When a .bat file containing the command syntax:

 

Set __COMPAT_LAYER=RunAsInvoker Start '%ApplicationName%.exe'
 

is created and executed, it has been determined that the installation of the application specified in the 'ApplicationName' field can be initiated in a folder such as 'C:/SetupFolder' with standard user rights, bypassing the User Access Control (UAC) elevation prompt of the operating system. This allows users in the 'standard users' group to initiate unauthorized software installations, posing a security vulnerability within the Active Directory Domain.

 

  1. To prevent this situation, configuring 'Windows Installer Rules' policies in 'AppLocker' does not effectively block the installation of the specified setup file, except when it is a 'Microsoft Installer (.msi)'.

  2. Since this command syntax does not contain malicious code, it is not blocked by third-party security and antivirus software. Additionally, making changes to the specified command syntax or renaming it to .exe instead of .bat can render the creation of specific filters to prevent the execution of this command on applications impractical.

  3. We couldn't find any operating system fix or patch that prevents the UAC prompt from being bypassed and allows the initiation of software installation in a directory specified by the user.

Considering the mentioned situation, I request your support, information, and suggestions to prevent users in the 'Standard Users' group from initiating unauthorized software installations using this method. Thank you, and I appreciate your assistance.

0 Replies