Back to Intelligence

Defending Against GetProcessHandleFromHwnd API Abuse and UAC Bypass via Quick Assist

SA
Security Arsenal Team
April 11, 2026
6 min read

Introduction

Recent research from Google Project Zero has shed light on a lesser-known Windows API, GetProcessHandleFromHwnd, and its role in a User Account Control (UAC) bypass technique. While this API is designed as a convenience function, its interaction with applications holding UIAccess privileges—such as the built-in Quick Assist tool—creates a viable attack vector for privilege escalation.

Defenders need to act because this technique leverages trusted, signed binaries to bypass security boundaries. It allows an attacker who has already gained a foothold on a system to elevate privileges silently, paving the way for persistence, credential dumping, or defense evasion. This is not a theoretical exercise; it is a documented mechanism that undermines the integrity of the UAC prompt.

Technical Analysis

Affected Products and Platforms:

  • Platform: Microsoft Windows 10 and Windows 11.
  • Specific Component: Windows User32.dll (GetProcessHandleFromHwnd) and applications with the uiAccess manifest flag set to true.
  • Key Vector: Quick Assist (quickassist.exe), though other signed accessibility tools could be misused similarly.

The Vulnerability Mechanism: The GetProcessHandleFromHwnd API allows a caller to retrieve a process handle simply by providing a window handle (HWND). Under normal circumstances, cross-process handle manipulation is restricted by the Windows Integrity Mechanism. However, the documentation reveals a critical security nuance: if the caller possesses UIAccess privileges, the restrictions are relaxed.

The attack chain works as follows:

  1. UIAccess Execution: An attacker triggers a trusted binary with UIAccess privileges (e.g., Quick Assist).
  2. Hook Injection: Using UIAccess, the attacker injects a code hook (e.g., via SetWindowsHookEx) into a target process running at a higher integrity level (e.g., an elevated admin console).
  3. Handle Retrieval: From within the now-compromised target process, the attacker utilizes GetProcessHandleFromHwnd to send a handle back to the calling UIAccess process.
  4. Privilege Escalation: This handle effectively grants the UIAccess process the permissions of the elevated target, bypassing UAC without a user prompt.

Exploitation Status: While the API itself is not a vulnerability, its abuse for UAC bypass has been publicly disclosed via Proof-of-Concept (PoC) code involving Quick Assist. This lowers the barrier for threat actors to incorporate this technique into malware or post-exploitation frameworks like Cobalt Strike or Meterpreter.

Detection & Response

Detecting this abuse requires focusing on the behavioral anomalies of UIAccess applications. Standard administrative tools rarely spawn command shells or perform process injection.

Sigma Rules

YAML
---
title: Suspicious Child Process from Quick Assist
id: 8a4b3c9d-1e2f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects Quick Assist spawning suspicious child processes, which may indicate a UAC bypass or code execution attempt.
references:
  - https://projectzero.google/2026/02/gphfh-deep-dive.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.privilege_escalation
  - attack.t1548.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\quickassist.exe'
  filter_legit:
    Image|endswith:
      - '\quickassist.exe'
      - '\conhost.exe'
  condition: selection and not filter_legit
falsepositives:
  - Unknown (Rare administrative use)
level: high
---
title: Potential GetProcessHandleFromHwnd Abuse via UIAccess Process
id: 9b5c4d0e-2f3g-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects known UIAccess binaries loading unexpected modules often used in injection or API hooking.
references:
  - https://projectzero.google/2026/02/gphfh-deep-dive.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1055.001
logsource:
  category: image_load
  product: windows
detection:
  selection:
    Image|endswith:
      - '\quickassist.exe'
      - '\narrator.exe'
      - '\osk.exe'
    ImageLoaded|contains:
      - '\hook'
      - '\inject'
      - '\payload'
  condition: selection
falsepositives:
  - Legitimate accessibility software loading third-party drivers (rare)
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for instances where Quick Assist or other UIAccess binaries spawn command-line interpreters or common LOLBins, indicating potential misuse.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("quickassist.exe", "narrator.exe", "osk.exe", "magnify.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for processes with UIAccess integrity levels that are attempting to access the memory of other processes (often a precursor to injection or handle manipulation).

VQL — Velociraptor
-- Hunt for UIAccess processes performing suspicious handle operations
SELECT Pid, Name, Exe, Username, CommandLine
FROM pslist()
WHERE Name =~ "quickassist" OR Name =~ "narrator" OR Name =~ "osk"

-- Cross-reference with open handles to high-integrity processes
SELECT
  process.Pid AS SourcePid,
  process.Name AS SourceName,
  process.Exe AS SourceExe,
  handle.TargetPid,
  handle.Name AS HandleName,
  handle.Type
FROM pslist() AS process
JOIN foreach(
  SELECT * FROM handles(pid=process.Pid)
) AS handle
WHERE process.Name =~ "quickassist" 
  AND handle.Type =~ "Process"

Remediation Script (PowerShell)

Use this script to audit systems for applications that possess the uiAccess manifest flag, as these are the potential vehicles for this bypass.

PowerShell
<#
.SYNOPSIS
   Audit applications with UIAccess privileges.
.DESCRIPTION
   Scans Program Files for executables containing the 'uiAccess' manifest flag.
   These binaries can be abused to bypass UAC using GetProcessHandleFromHwnd.
#>

$Paths = @("${env:ProgramFiles}", "${env:ProgramFiles(x86)}")
$UIAccessApps = @()

Write-Host "[+] Scanning for UIAccess enabled applications..."

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        $exes = Get-ChildItem -Path $Path -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue
        foreach ($exe in $exes) {
            try {
                $content = [System.IO.File]::ReadAllText($exe.FullName)
                # Basic heuristic check for uiAccess="true" in manifest
                if ($content -match 'uiAccess\s*=\s*"true"') {
                    $UIAccessApps += [PSCustomObject]@{
                        FilePath = $exe.FullName
                        Signature = (Get-AuthenticodeSignature $exe.FullName).Status
                    }
                }
            } catch {
                # Ignore access errors for binary files
            }
        }
    }
}

if ($UIAccessApps.Count -gt 0) {
    Write-Host "[WARNING] Found UIAccess applications:" -ForegroundColor Yellow
    $UIAccessApps | Format-Table -AutoSize
} else {
    Write-Host "[INFO] No UIAccess applications found via simple scan." -ForegroundColor Green
}

Remediation

  1. Patch and Update: Ensure all Windows systems are fully patched. While this is a design feature/abuse rather than a simple bug, Microsoft may release updates to tighten the interaction between UIAccess and protected processes.

  2. Restrict Quick Assist: If Quick Assist is not required for business operations, disable it via Group Policy or Windows Firewall.

    • Firewall Block: Create an outbound rule blocking quickassist.exe.
    • GPO: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Assistance -> Configure Offer/Unsolicited Remote Assistance (Set to Disabled).

  3. Attack Surface Reduction (ASR): Enable the ASR rule "Block abuse of exploited vulnerable signed drivers" and "Block applications from creating child processes" specifically targeting signed binaries that are not commonly used for spawning other processes (configure exclusions carefully).

  4. Privileged Access Workstations (PAW): Ensure that high-privilege administrative tasks are performed on PAWs where unnecessary tools like Quick Assist are not installed or enabled.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-dayuac-bypasswindows-apiquick-assistprivilege-escalation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action