C
Medium RiskWindowsconsent.exeEXECUTABLEconsent.exe - Windows UAC Consent Dialog [2026]
consent.exe is the Windows UAC consent UI that prompts for elevation. May be impersonated for credential harvesting or indicate UAC bypass attempts.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Medium | | Abuse Potential | Medium | | Prevalence | Universal | | Risk Score | 50/100 | consent.exe handles UAC prompts and may be impersonated or targeted in UAC bypass attacks.
Overview
What is consent.exe?
consent.exe is the Windows User Account Control (UAC) consent dialog process that displays elevation prompts when applications request administrator privileges.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | consent.exe |
| Developer | Microsoft Corporation |
| Digital Signature | Microsoft Windows |
| Feature | User Account Control |
| Type | Security Dialog |
Technical Details
| Property | Description |
|---|---|
| Process Type | Elevated UI Process |
| Parent Process | svchost.exe (appinfo) |
| Purpose | Display UAC consent dialog |
| Protection | Secure Desktop |
consent.exe runs on the secure desktop to prevent spoofing by malware.
Normal Behavior
Normal Behavior
Legitimate Characteristics
Process: consent.exe
Parent: svchost.exe -k netsvcs -p
Location: C:\Windows\System32\consent.exe
Trigger: Elevation request
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | svchost.exe (appinfo) |
| Location | C:\Windows\System32\ |
| Trigger | UAC elevation request |
| Desktop | Secure desktop |
| Duration | Brief (user interaction) |
Elevation Scenarios
| Scenario | Trigger |
|---|---|
| Admin app launch | UAC manifest |
| "Run as Administrator" | User request |
| System changes | Windows protection |
Common Locations
C:\Windows\System32\consent.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Wrong location | Critical | Not in System32 |
| Wrong parent | High | Not from svchost appinfo |
| Unusual frequency | Medium | Too many UAC prompts |
| No secure desktop | High | Spoofable dialog |
| User interaction | Medium | Social engineering |
UAC Bypass Indicators
UAC Bypass Patterns:
- Unexpected consent.exe invocation
- Auto-elevation abuse
- Environment variable manipulation
- COM object exploitation
Spoofing Concerns
| Attack | Method |
|---|---|
| Fake dialog | UI spoofing |
| Credential harvest | Phishing creds |
| Elevation bypass | UAC circumvention |
Abuse Techniques
Abuse Techniques
Credential Phishing
Fake UAC Dialog:
1. Malware creates fake consent dialog
2. Mimics legitimate UAC prompt
3. User enters credentials
4. Credentials captured by attacker
5. Real elevation may or may not occur
UAC Bypass Abuse
Auto-Elevation Abuse:
1. Attacker finds auto-elevating binary
2. Hijacks DLL or environment
3. Bypasses UAC without prompt
4. consent.exe never invoked
5. Silent privilege escalation
Social Engineering
| Technique | Implementation |
|---|---|
| Frequency fatigue | Many prompts desensitize user |
| False urgency | "Critical update" prompts |
| Trust exploitation | Mimic trusted apps |
Impersonation
Fake consent.exe:
- Create lookalike dialog
- Harvest administrator credentials
- Bypass secure desktop protection
- Phish users for passwords
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="consent.exe Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">consent.exe</Image>
</ProcessCreate>
</RuleGroup>
Sigma Rule
title: Suspicious consent.exe Location
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\consent.exe'
filter:
Image: 'C:\Windows\System32\consent.exe'
ParentImage|endswith: '\svchost.exe'
condition: selection and not filter
falsepositives:
- None expected
level: high
KQL Query
// consent.exe from wrong location or parent
DeviceProcessEvents
| where FileName =~ "consent.exe"
| where FolderPath != "C:\\Windows\\System32\\" or
not(InitiatingProcessCommandLine contains "netsvcs")
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName
// High frequency UAC prompts (potential bypass attempts)
DeviceProcessEvents
| where FileName =~ "consent.exe"
| summarize PromptCount = count() by DeviceName, bin(Timestamp, 1h)
| where PromptCount > 20
Remediation Steps
Remediation Steps
Verification
# Check consent.exe instances
Get-Process consent -ErrorAction SilentlyContinue | ForEach-Object {
[PSCustomObject]@{
PID = $_.Id
Path = $_.Path
ParentPID = (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)").ParentProcessId
}
}
# Verify signature
Get-AuthenticodeSignature "C:\Windows\System32\consent.exe"
UAC Hardening
# Set UAC to highest level
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
Set-ItemProperty -Path $regPath -Name ConsentPromptBehaviorAdmin -Value 2
Set-ItemProperty -Path $regPath -Name PromptOnSecureDesktop -Value 1
Monitoring
| Control | Implementation |
|---|---|
| High UAC level | Always notify |
| Secure desktop | Enable prompt on secure desktop |
| Monitoring | Log elevation requests |
Investigation Checklist
Investigation Checklist
Process Verification
- Is consent.exe in System32?
- Is parent svchost (appinfo)?
- Proper Microsoft signature?
- Running on secure desktop?
Activity Analysis
- What triggered the UAC prompt?
- Which application requested elevation?
- Is the request legitimate?
- User interaction normal?
Bypass Check
- UAC bypass attempts detected?
- Auto-elevation abuse?
- Environment manipulation?
Spoofing Check
- Any fake UAC dialogs?
- Credential harvesting attempts?
- Social engineering indicators?