> For the complete documentation index, see [llms.txt](https://leecybersec.gitbook.io/oscp/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://leecybersec.gitbook.io/oscp/privilege-escalation/windows-privilege-escalation.md).

# Windows Privilege Escalation

## Automated Enumeration

```
git clone https://github.com/pentestmonkey/windows-privesc-check.git

windows-privesc-check2.exe -h
windows-privesc-check2.exe --dump -G
```

## Information Gathering

### What's the OS? What version? What architecture?

```bash
systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
```

### Who are we? Where are we?

```bash
whoami
net user <username>
dir
```

### Who uses the box? What users? (And which ones have a valid shell)

```bash
whoami /groups
net user
```

### What's currently running on the box? What active network services are there?

```bash
tasklist /SVC

ipconfig /all
route print
netstat -ano
```

### What's installed? What kernel is being used?

```bash
dir "C:\Program Files"
dir "C:\Program Files (x86)"

wmic product get name, version, vendor

wmic qfe get Caption, Description, HotFixID, InstalledOn
```

## Check Scheduled Tasks

```
schtasks /query /fo LIST /v
```

## Readable/Writable Files and Directories

```
accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
```

## Check Users Privilege

```
net localgroup administrators
```

## Add Local Admin User

```
net user /add pentest Pass
net localgroup administrators pentest /add
```

## Run CMD as Admin

```
powershell.exe Start-Process cmd.exe -Verb runAs
```

## Binaries That AutoElevate

```
reg query HKLM /f pass /t REG_SZ /s

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
```

## Device Drivers and Kernel Modules

```
powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://leecybersec.gitbook.io/oscp/privilege-escalation/windows-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.