Windows privilege escalation is how an attacker goes from a standard user to SYSTEM or local Administrator. The frequent paths are token-impersonation privileges (SeImpersonate) abused through Potato attacks, weak service permissions, unquoted service paths, the AlwaysInstallElevated policy, DLL hijacking, and UAC bypasses. As on Linux, it is mostly enumeration: list privileges, services, and writable locations until a path to SYSTEM appears. Scripts like winpeas automate the sweep.
The goal: become SYSTEM
On Windows the most powerful local account is NT AUTHORITY\SYSTEM, even higher than a normal administrator. An attacker with a limited shell wants SYSTEM so they can dump credentials (the SAM and LSASS), install persistence, and pivot.
Windows escalation leans heavily on privileges, services, and how programs find the files they load.
The common escalation paths
The recurring Windows privesc vectors, each with its own page:
- SeImpersonatePrivilege: a privilege common on service accounts. Details.
- Potato attacks: tools that turn SeImpersonate into SYSTEM. Details.
- Weak service permissions: a service you can reconfigure. Details.
- Unquoted service paths: a path with spaces that lets you plant an executable. Details.
- AlwaysInstallElevated: MSI packages that install as SYSTEM. Details.
- DLL hijacking: a program loading a DLL from a writable path. Details.
- UAC bypass: elevating without a prompt. Details.
- Dangerous privileges: SeBackup, SeRestore, SeDebug and more. Details.
Enumeration: where it starts
Windows escalation starts by listing privileges, services, and writable spots. Common first commands:
whoami /privto list the current token’s privilegeswhoami /groupsfor group membershipwmic service get name,pathname,startmodeto find service pathssysteminfoto check the patch level- check writable service binaries and
HKLM/HKCUinstall policy
The PEAS script winpeas automates this. The skill is spotting which privilege or service actually reaches SYSTEM.