Windows Privilege Escalation
The Windows Challenge
Privilege escalation on Windows is far from straightforward. Unlike Linux’s relatively clean and predictable permission model, Windows presents a layered and often opaque environment—more like navigating a corporate bureaucracy. There are official mechanisms, hidden loopholes, and security measures like UAC that can often be bypassed or misconfigured.
Why Windows Is Unique
Windows security relies on a broad set of components: services, access tokens, the registry, scheduled tasks, and various privilege settings. Many of these components serve legitimate purposes—but in the presence of misconfigurations, they become powerful escalation vectors. The abundance of background services, legacy features, and GUI-based utilities significantly expands the attack surface compared to more minimalistic systems.
Typical Entry Points
Most Windows privilege escalation scenarios begin with limited access:
A standard user account
A compromised service account
A web application context (e.g.,
IIS APPPOOL\...)
From there, the goal is to elevate to Local Administrator, SYSTEM, or even domain-level privileges.
What This Section Covers
This guide explores the most common and effective privilege escalation techniques used in real-world Windows environments. Each topic is covered in its own subpage, including:
Each topic includes practical examples, indicators to look for during enumeration, and potential detection or mitigation notes where applicable.
Last updated
Was this helpful?