UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD

(MY MISTAKE FOR NOT TESTING MORE)

So the “-ish” is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions)

I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute’s ‘RunAs’ verb. But until then, get CPAU here:

http://www.joeware.net/freetools/tools/cpau/

and Elevate here: http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

and doing it manually with built in Windows Kung-Fu: