PRIMARY CATEGORY → WINDOWS MOVEMENT
Theory
UAC Configuration
UAC Configuration
UAC SLIDER LEVEL NAME EnableLUAConsentPromptBehaviorAdminPromptOnSecureDesktopLevel 4 Always notify me 121Level 3 ( Default ) Notify me only when apps try to make changes to my computer 151Level 2 Notify me only when apps try to make changes to my computer, w/o dimming my desktop 150Level 1 Never notify me 100
Summary
UAC Enabled
USER LOGON TYPE ACCESS TOKEN Non RID 500 Local Admin Account 2 (Interactive)
10 (RemoteInteractive)Filtered Token
Full Token (Dual Token)Non RID 500 Local Admin Account 3 (Network) Filtered Token RID 500 Admin Account 2 (Interactive)
3 (Network)
10 (RemoteInteractive)Full Token Domain User member of Local Admins Group 2 (Interactive)
10 (RemoteInteractive)Filtered Token
Full Token (Dual Token)Domain User member of Local Admins Group 3 (Network) Full Token
UAC not Enabled
For all the Privileged Accounts, LSASS.exe creates a Full Access Token, as there is no UAC which filters that token generating a Filtered Access Token
The above applies regardless of the Logon Session Type, whether it is 2 (Interactive), 3 (Network) or 10 (RemoteInteractive)
This LocalAccountTokenFilterPolicy does not apply if UAC is disabled
USER LOGON TYPE ACCESS TOKEN Non RID 500 Local Admin Account 2 (Interactive)
3 (Network)
10 (RemoteInteractive)Full Token RID 500 Admin Account 2 (Interactive)
3 (Network)
10 (RemoteInteractive)Full Token Domain User member of Local Admins Group 2 (Interactive)
3 (Network)
10 (RemoteInteractive)Full Token
Summary (UAC Enabled)
USER LOGON TYPE POLICY ACCESS TOKEN Under UAC? Non RID 500 Local Admin Account 2 (Interactive)
10 (RemoteInteractive)LocalAccountFilterTokenPolicy ❌ Filtered Token
Full Token
(Dual Token)🟢 Non RID 500 Local Admin Account 3 (Network) ❌ LocalAccountFilterTokenPolicy 🟢 Filtered Token 🟢 Non RID 500 Local Admin Account 3 (Network) 🟢 LocalAccountFilterTokenPolicy ❌ Full Token 🟢 RID 500 Admin Account 2 (Interactive)
3 (Network) 🟢
10 (RemoteInteractive)FilterAdministratorToken ❌ Full Token ❌ RID 500 Admin Account 2 (Interactive)
10 (RemoteInteractive)FilterAdministratorToken 🟢 Filtered Token
Full Token
(Dual Token)🟢 RID 500 Admin Account 3 (Network) ❌ LocalAccountFilterTokenPolicy 🟢
FilterAdministratorToken 🟢Filtered Token 🟢 RID 500 Admin Account 3 (Network) 🟢 LocalAccountFilterTokenPolicy ❌
FilterAdministratorToken 🟢Full Token 🟢 Domain User member of Local Admins Group 2 (Interactive)
10 (RemoteInteractive)Filtered Token
Full Token
(Dual Token)🟢 Domain User member of Local Admins Group 3 (Network) 🟢 Full Token 🟢
Enumeration
| UAC SLIDER LEVEL | NAME | EnableLUA | ConsentPromptBehaviorAdmin | PromptOnSecureDesktop |
|---|---|---|---|---|
| Level 4 | Always notify me | 1 | 2 | 1 |
| Level 3 ( Default ) | Notify me only when apps try to make changes to my computer | 1 | 5 | 1 |
| Level 2 | Notify me only when apps try to make changes to my computer, w/o dimming my desktop | 1 | 5 | 0 |
| Level 1 | Never notify me | 1 | 0 | 0 |
UAC Status ( Enabled or not )
EnableLUA
-
Enabled →
1 -
Disabled →
0
CMD
reg query 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA'PS & CMD
(Get-ItemProperty -Path 'HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System').EnableLUAUAC Level
ConsentPromptBehaviorAdmin
| NAME | VALUE |
|---|---|
| Elevate w/o prompting | 0 |
| Prompt for credentials on the secure desktop | 1 |
| Prompt for consent on the secure desktop | 2 |
| Prompt for credentials | 3 |
| Prompt for consent | 4 |
| Prompt for consent for Non-Windows binaries ( Default ) | 5 |
| Prompt for credentials for Non-Windows binaries | 6 |
CMD
reg query 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin'PS & CMD
(Get-ItemProperty -Path 'HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System').ConsentPromptBehaviorAdminWindows Version
PS
[environment]::OSVersion.Version