C:\Program Files\UNP\Logs is reported as a non-default / third-party application about privesccheck HOT 5 CLOSED

Thanks for the information.

On the other hand, it might be an actual vulnerability.
From my understanding of Windows in general, I believe that normal users should not have write access in C:\Program Files\. If a program, that is installed under C:\Program Files\, needs to manipulate some files/data or if normal users need to manipulate these files, it should have a dedicated folder in C:\ProgramData\.

That's typically the case of the USO service with the USOShared and the USOPrivate folders. One is solely used by SYSTEM whereas the other one is used by normal users. And they are configured with proper ACLs.

If the *.etl files you found in this folder are owned by SYSTEM, it might be the first sign that privileged operations may occur in this folder. Anyway, from my standpoint, this is a misconfiguration that requires further investigation so I won't update the script for now.

Besides, it wouldn't be the first time this script finds a 0-day... :P

from privesccheck.

I just checked my daily driver host and that folder did not exist. I assume because I unticked everything (all the tracking/ads/Cortana/etc) during install, so I created a VM with everything ticked and still didn't have that folder. I'm guess it'll show up after some use (hopefully idle), will see.

from privesccheck.

Hmm... that's weird...
It looks like "Everyone" has "Full Control" on this folder.

I checked on my laptop but it doesn't even exist.
I'll have to check on my virtual machines.

from privesccheck.

Yeah, best I can tell is that UNP is related to the ads that Microsoft can push out on a Windows 10 platform.
https://sensorstechforum.com/unp-campaign-manager/
https://answers.microsoft.com/en-us/windows/forum/windows_10-files-winpc/what-is-unp-campaignmanager-and-how-did-it-get-on/19e663b5-4e62-42b8-b364-5b1a514300ab

Most of my VMs have it. But a clean install right off of the ISO doesn't have it. So perhaps it only arrives after a system has been in use for a while.

The \Logs directory contents are only numbered files starting with
UniversalNotificationPlatform.001.etl
UpdateNotificationPipeline.001.etl

Despite having a world-writable subdirectory in C:\Program FIles, it's not immediately obvious to me how it may lead to privilege escalation. So despite it not being 100% clear why it's there (and why it's not on 100% of Win10 systems), it may be useful to mute its output in your tool to help minimize false positives.

from privesccheck.

Conclusion:

• This folder is not present on a default installation of Windows 10.
• This is just an INFO check.
  My decision is to leave the script as is for now. Perhaps I'll reconsider this later. You never know... :)

from privesccheck.