# Checklist - Local Windows Privilege Escalation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)

### [System Info](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#system-info)

* [ ] Obtain [**System information**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#system-info)
* [ ] Search for **kernel** [**exploits using scripts**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#version-exploits)
* [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] Interesting info in [**env vars**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#environment)?
* [ ] Passwords in [**PowerShell history**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#powershell-history)?
* [ ] Interesting info in [**Internet settings**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#internet-settings)?
* [ ] [**Drives**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#drives)?
* [ ] [**WSUS exploit**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#wsus)?
* [ ] [**AlwaysInstallElevated**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#alwaysinstallelevated)?

### [Logging/AV enumeration](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#enumeration)

* [ ] Check [**Audit** ](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#audit-settings)and [**WEF** ](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#wef)settings
* [ ] Check [**LAPS**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#laps)
* [ ] Check if [**WDigest** ](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#wdigest)is active
* [ ] [**LSA Protection**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#lsa-protection)?
* [ ] [**Credentials Guard**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#credentials-guard)[?](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#cached-credentials)
* [ ] [**Cached Credentials**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#cached-credentials)?
* [ ] Check if any [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
* [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
* [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
* [ ] [**User Privileges**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#users-and-groups)
* [ ] Check [**current** user **privileges**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#users-and-groups)
* [ ] Are you [**member of any privileged group**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#privileged-groups)?
* [ ] Check if you have [any of these tokens enabled](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] [**Users Sessions**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#logged-users-sessions)?
* [ ] Check[ **users homes**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#home-folders) (access?)
* [ ] Check [**Password Policy**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#password-policy)
* [ ] What is[ **inside the Clipboard**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#get-the-content-of-the-clipboard)?

### [Network](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#network)

* [ ] Check **current** [**network** **information**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#network)
* [ ] Check **hidden local services** restricted to the outside

### [Running Processes](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#running-processes)

* [ ] Processes binaries [**file and folders permissions**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#file-and-folder-permissions)
* [ ] [**Memory Password mining**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#memory-password-mining)
* [ ] [**Insecure GUI apps**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#insecure-gui-apps)
* [ ] Steal credentials with **interesting processes** via `ProcDump.exe` ? (firefox, chrome, etc ...)

### [Services](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#services)

* [ ] [Can you **modify any service**?](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#permissions)
* [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#modify-service-binary-path)
* [ ] [Can you **modify** the **registry** of any **service**?](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#services-registry-modify-permissions)
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#unquoted-service-paths)

### [**Applications**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#applications)

* [ ] **Write** [**permissions on installed applications**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#write-permissions)
* [ ] [**Startup Applications**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#run-at-startup)
* [ ] **Vulnerable** [**Drivers**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#drivers)

### [DLL Hijacking](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#path-dll-hijacking)

* [ ] Can you **write in any folder inside PATH**?
* [ ] Is there any known service binary that **tries to load any non-existant DLL**?
* [ ] Can you **write** in any **binaries folder**?

### [Network](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#network)

* [ ] Enumerate the network (shares, interfaces, routes, neighbours, ...)
* [ ] Take a special look at network services listening on localhost (127.0.0.1)

### [Windows Credentials](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#windows-credentials)

* [ ] [**Winlogon** ](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#winlogon-credentials)credentials
* [ ] [**Windows Vault**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#credentials-manager-windows-vault) credentials that you could use?
* [ ] Interesting [**DPAPI credentials**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#dpapi)?
* [ ] Passwords of saved [**Wifi networks**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#wifi)?
* [ ] Interesting info in [**saved RDP Connections**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#saved-rdp-connections)?
* [ ] Passwords in [**recently run commands**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#recently-run-commands)?
* [ ] [**Remote Desktop Credentials Manager**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#remote-desktop-credential-manager) passwords?
* [ ] [**AppCmd.exe** exists](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#appcmd-exe)? Credentials?
* [ ] [**SCClient.exe**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#scclient-sccm)? DLL Side Loading?

### [Files and Registry (Credentials)](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#files-and-registry-credentials)

* [ ] **Putty:** [**Creds**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#putty-creds) **and** [**SSH host keys**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#putty-ssh-host-keys)
* [ ] [**SSH keys in registry**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#ssh-keys-in-registry)?
* [ ] Passwords in [**unattended files**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#unattended-files)?
* [ ] Any [**SAM & SYSTEM**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#sam-and-system-backups) backup?
* [ ] [**Cloud credentials**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#cloud-credentials)?
* [ ] [**McAfee SiteList.xml**](https://angelica.gitbook.io/hacktricks/windows-hardening/pages/D15J0RO85P6PF96Fv6fb#mcafee-sitelist.xml) file?
* [ ] [**Cached GPP Password**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#cached-gpp-pasword)?
* [ ] Password in [**IIS Web config file**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#iis-web-config)?
* [ ] Interesting info in [**web** **logs**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#logs)?
* [ ] Do you want to [**ask for credentials**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#ask-for-credentials) to the user?
* [ ] Interesting [**files inside the Recycle Bin**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#credentials-in-the-recyclebin)?
* [ ] Other [**registry containing credentials**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#inside-the-registry)?
* [ ] Inside [**Browser data**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#browsers-history) (dbs, history, bookmarks, ...)?
* [ ] [**Generic password search**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#generic-password-search-in-files-and-registry) in files and registry
* [ ] [**Tools**](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#tools-that-search-for-passwords) to automatically search for passwords

### [Leaked Handlers](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#leaked-handlers)

* [ ] Have you access to any handler of a process run by administrator?

### [Pipe Client Impersonation](/hacktricks/windows-hardening/windows-local-privilege-escalation.md#named-pipe-client-impersonation)

* [ ] Check if you can abuse it

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/windows-hardening/checklist-windows-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.