🛠️ Command
Check User Privileges
List the privileges assigned to the current user token.
whoami /privEnumerate Unquoted Service Paths
Find services with spaces in their path that lack quotation marks.
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """Check Service Permissions (Accesschk)
Verify if the current user has write access to a service binary or configuration.
accesschk.exe /accepteula -uwcqv {{username}} {{service_name}}Check AlwaysInstallElevated Registry Key
Determine if the system is configured to install MSI packages with SYSTEM privileges.
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated; reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedSearch for Unattended Install Files
Look for passwords in XML files used during automated Windows deployments.
dir /s /b C:\unattend.xml; dir /s /b C:\sysprep.inf; dir /s /b C:\sysprep\sysprep.xml📝 Description
Manual techniques for discovering privilege escalation vulnerabilities in Windows environments.
Windows escalation paths frequently involve service misconfigurations (Unquoted Paths, Weak Permissions), insecure registry settings (AlwaysInstallElevated), or sensitive data left in deployment files (Unattend.xml). These commands provide a surgical approach to finding ‘SYSTEM’ or ‘Administrator’ access without relying solely on automated scripts.