Privilege Escalation - Windows Enumeration


Consider using winPEAS (e.g. winPEASany.exe from the releases).


net user <username> # details about the user
net user # list of all users

whoami /priv # checks the privileges
whoami /groups # checks the groups (and integrity levels)

net localgroup Administrators # shows users in the local group Administrators




systeminfo # show all
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # show most important

Running Processes and Services

tasklist /SVC # list of processes mapped to specific services

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} # a more powerful example using powershell

wmic service where caption="Serviio" get name, caption, state,
startmode # checks if a process is autostarting

File Permissions

icacls "<exe file>" # checks the permissions

# Mask Permissions
# F Full access
# M Modify access
# RX Read and execute access
# R Read-only access
# W Write-only access

Networking Information

ipconfig /all # list all network interfaces
route print # print routing tables
netstat -ano # show active network connections

Firewall Status and Rules

netsh advfirewall show currentprofile # inspect the current firewall profile
netsh advfirewall firewall show rule name=all # list firewall rules

Scheduled Tasks

schtasks.exe /query /fo LIST /v # list of scheduled tasks

Installed Applications and Patch Levels

wmic product get name, version, vendor # returns list of applications installed with windows installer. Note: it needs to be executed from cmd, not powershell
wmic qfe get Caption, Description, HotFixID, InstalledOn # list of windows updates

.\seatbelt.exe NonstandardProcesses

.\winPEASany.exe quiet procesinfo

Readable/Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files" # checks for all files with 'write' file permissions (-w flag) using accesschk.exe

Get-ChildItem "C:\Program Files\" -Recurse | Get-Acl | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} # same as accesschk.exe but in powershell

Unmounted Disks

mountvol # lists all drives

Device Drivers and Kernel Modules

driverquery /v /fo csv | ConvertFrom-Csv | Select-Object 'Display Name', 'Start Mode', Path # in powershell list of loaded drivers and kernel modules

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer |  Where-Object {$_.DeviceName -like "*VMware*"} # version of a driver

Binaries That Auto Elevate

Check if AlwaysInstallElevated registry key is set to 1 in HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, which means that the user can always run the Windows Installer with elevated privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

Example: fodhelper.exe C:\Windows\System32\fodhelper.exe

Unquoted paths

Show services with unquoted paths:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | find /i /v """

Check if they exist since you can utilize them like this:

C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe


List all files and folders

cmd /c dir /b /a /s C:\ > <output_file.txt>

Shutdown now

shutdown /r /t 0 # restarts the system now

Use Windows Privesc Check

windows-privesc-check2.exe -h # check for help and all options
windows-privesc-check2.exe --dump -G # lists groups

Process manifest using Sysinternals

sigcheck.exe -a -m <application> # e.g. C:\Windows\System32\fodhelper.exe

# Look for processes that have 'requireAdministrato' and 'autoElevante' set to 'true'

Escalate from an admin user to full SYSTEM privileges:

.\PsExec(64).exe -accepteula -i -s C:\<your_binary>

Low-hanging fruits

VNC server

It might be that there's a VNC installed in server mode, and perhaps it has some passwords.