typetechniqueconfidencehighcreated2026-06-03updated2026-06-03defense-evasionmitre-attckuac-bypassregistryresearch-target

UAC Bypass via Event Viewer (eventvwr.exe)

Auto-elevate bypass abusing the .msc file handler registration. Event Viewer (eventvwr.exe) is a signed Microsoft binary that auto-elevates; it shells out to mmc.exe using the Shell\Open\Command registry key under HKCR\mscfile. An attacker with write access to HKCU\Software\Classes\mscfile\shell\open\command can redirect execution to an arbitrary payload.

Detection / Fingerprint

Strings in the binary:

eventvwr.exe
Software\Classes\mscfile\shell\open\command
origmsc (backup/restoration tag used by Remcos)

Registry writes observed in decompiled code to HKCU\Software\Classes\mscfile\shell\open\command followed by execution of eventvwr.exe.

Reproduce on your own VMs

Create the hijack key:

reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\\Windows\\System32\\cmd.exe /k whoami" /f

Launch eventvwr.exe — observe elevated cmd.exe.

Cleanup:

reg delete "HKCU\Software\Classes\mscfile\shell\open\command" /f

Defensive Countermeasures

Monitor HKCU\Software\Classes\mscfile\shell\open\command writes
Detect eventvwr.exe spawning unexpected child processes
Microsoft patched this vector in some Windows 10 builds by moving the handler to HKLM

Observed in

remcos (v1.7 Pro)

> Technique · UAC Bypass via Event Viewer (eventvwr.exe)_

UAC Bypass via Event Viewer (eventvwr.exe)

Detection / Fingerprint

Reproduce on your own VMs

Defensive Countermeasures

Observed in