This project is a Rust implementation of a UAC (User Account Control) bypass technique that was originally researched by Oddvar Moe and implemented in C#/.NET by zc00l. The technique leverages the Windows Connection Manager Profile Installer (CMSTP.exe) to elevate privileges.
The implementation uses Windows' CMSTP.exe binary to bypass UAC restrictions through a specially crafted .inf file. This allows a medium integrity process belonging to a local administrator to spawn a new high integrity process with full privileges.
- Creates a temporary .inf file in
C:\windows\temp - Uses UUID v4 for unique filename generation
- Injects the specified command into the INF template
- Maintains the same INF structure as the original implementation
- Executes CMSTP.exe with the
/auflag - Handles process spawning and monitoring
- Implements proper error handling for binary existence checks
- Uses the Windows API through
winapicrate - Implements window finding and interaction
- Handles UAC prompt automation
- Simulates keyboard input when needed
- Memory safety through Rust's ownership system
- No unsafe DLL reflection (unlike the C# version)
- Proper error handling and Result types
- Safe string handling with proper Unicode support
- Controlled process management
Download from the release or build on your own.
Default usage (spawns elevated cmd.exe):
.\RustyKeys.exeExecute specific command with elevation:
.\RustyKeys.exe "path_to_executable"cargo build --releasecargo build --release --target x86_64-pc-windows-msvc # For 64-bit
cargo build --release --target i686-pc-windows-msvc # For 32-bit- Generates the INF file with the command to be executed
- Returns the path to the generated file
- Uses UUID for unique filename generation
- Handles the execution of CMSTP.exe
- Manages process creation and monitoring
- Implements privilege elevation logic
- Manages window interaction
- Handles UAC prompt automation
- Implements keyboard simulation when needed
This implementation is based on research and work by several security researchers:
- Original Research: Oddvar Moe
- Original C#/.NET Implementation and Article: zc00l
- PowerShell Script: Tyler Applebaum
- Script: UACBypassCMSTP.ps1
Special thanks to zc00l for the comprehensive article explaining the technique and providing the original C#/.NET implementation that served as the basis for this Rust version.
This code is provided for educational purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for misuse of this software.