User acount control options: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=intune

Technical explanation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works

https://github.com/hfiref0x/UACME Project maintains a list of UAC bypasses

Let's use technique number 54, which is stated to work from Windows 10 build 14393. This technique targets the 32-bit version of the auto-elevating binary SystemPropertiesAdvanced.exe. There are many trusted binaries that Windows will allow to auto-elevate without the need for a UAC consent prompt.

According to this blog post, the 32-bit version of SystemPropertiesAdvanced.exe attempts to load the non-existent DLL srrstr.dll, which is used by System Restore functionality.

When attempting to locate a DLL, Windows will use the following search order.

1. The directory from which the application loaded.
2. The system directory C:\\Windows\\System32 for 64-bit systems.
3. The 16-bit system directory C:\\Windows\\System (not supported on 64-bit systems)
4. The Windows directory.
5. Any directories that are listed in the PATH environment variable.

Show PATH:

cmd /c echo %PATH%

Writeup