Skip to main content

Windows Enumeration

When it comes to ethical hacking and penetration testing, one of the key objectives is privilege escalation. Gaining administrative access to a Windows system is often the ultimate goal, and to achieve this, you need a deep understanding of the system and its vulnerabilities. In this guide, we will explore the essential techniques and commands for Windows privilege escalation, giving you a better understanding of the Windows environment and how to elevate your privileges.

Basic Information
Before we delve into the techniques for privilege escalation, let's start with some basic information about Windows security elements that will be crucial throughout the process.

 1. Security Identifier (SID)

In Windows, the Security Identifier (SID) is a unique identifier for user and group accounts. Windows uses SIDs to identify principals for access control management. This means that when you're looking to exploit a system, understanding SIDs can be crucial.

 2. Access Token

An access token contains information about the user and the user's group memberships. It's used to control access to securable objects and operations.

 3. Mandatory Integrity Control

Mandatory Integrity Control is a security feature that enforces mandatory access controls based on integrity levels. Understanding integrity levels is essential for privilege escalation.

 4. User Account Control (UAC)

User Account Control is a security feature introduced in Windows to improve security. It helps protect the system from unauthorized changes.

 5. Well-Known SIDs on Local Machines
  • S-1-0-0: Nobody
  • S-1-1-0: Everybody
  • S-1-5-11: Authenticated Users
  • S-1-5-18: Local System
  • S-1-5-domainidentifier-500: Administrator
These well-known SIDs are important to identify various system users and groups, which can be targeted during privilege escalation.

 6. Integrity Levels

Understanding integrity levels is crucial. Here are the primary integrity levels you'll encounter:
  • System: For SYSTEM (kernel, etc.)
  • High: For elevated users
  • Medium: For standard users
  • Low: For very restricted rights, often used in sandboxed processes or for directories storing temporary data
 7. Remote Desktop and WinRM

Members of the "Remote Desktop Users" group can access the system using RDP, while members of the "Remote Management Users" group can access it with WinRM.

Situational Awareness

Before escalating privileges, you need to gather information about the system you're targeting. Here are the key elements to consider:
  • Username and hostname
  • Group memberships of the current user
  • Existing users and groups
  • Operating system, version, and architecture
  • Network information
  • Installed applications
  • Running processes

Obtaining Username and Hostname

To get the current username and hostname, use the following commands:



Group Memberships of the User

To retrieve information about the group memberships of the current user, use:

whoami /groups

Existing Users and Groups
To display information about local users and groups, use the following commands:
  • Display local users

net user

  • Get more information about a specific username
net user <username>

  • Display local groups

  • Display members of a specific group (e.g., adminteam)
Get-LocalGroupMember adminteam

Operating System Information

To gather information about the operating system, version, and architecture, use:


systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Network Information
To obtain network-related information, use these commands:
  • Show all interfaces
ipconfig /all

  • Routing table
route print

  • Active network connections
netstat -ano

Enumerating Firewall Status and Rules
Check the firewall status and rules with these commands:
  • Listing the current profile for the firewall
netsh advfirewall show currentprofile

  • Listing all the firewall rules
netsh advfirewall firewall show rule name=all

Installed Applications
Identifying installed applications can reveal potential vulnerabilities. Here are some commands to help with this:
  • x86 applications
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

  • x64 applications
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

  • Listing all installed applications installed by Windows Installer
wmic product get name, version, vendor

  • Listing all installed security patches
wmic qfe get Caption, Description, HotFixID, InstalledOn

Additionally, check the contents of the "Program Files" directories in both 32-bit and 64-bit, located in C:. Review the "Downloads" directory of your user to find more potential programs.

Running Processes
Understanding the processes running on the system is essential. Here are some commands to help you with this:


Get-Process | Select-Object Path

Getting a list of running processes on the operating system and matching services can be done with the following command:

tasklist /SVC

Hidden in Plain View
Sometimes, sensitive information is hiding in plain view. Here are some commands to search for hidden data:

Searching for Password Manager Databases

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Searching for Sensitive Information in XAMPP Directory

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Searching for Text Files and Password Manager Databases in a User's Home Directory

Get-ChildItem -Path C:\Users\<username>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Running Commands as Another User
In some situations, you may need to run commands as another user. You can achieve this with:

runas /user:<username> cmd

Information Goldmine: PowerShell
PowerShell history can reveal valuable information about past commands and activities. Here are some PowerShell commands to help you in this regard:

Get the Command History of PowerShell


Display the Path of the History File from PSReadline


Enumerating Readable/Writable Files and Directories
Understanding which files and directories are writable can be essential for privilege escalation. Here's how to list them:

Listing All Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files"

Listing All Writable Files and Directories in a Specified Target Using PowerShell

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Enumerating Unmounted Disks
Understanding the available drives is crucial. You can list all drives available for mounting with this command:


Enumerating Device Drivers and Kernel Modules
Identifying device drivers and kernel modules can provide valuable insights. Here's how to list them:

Listing Loaded Drivers on Windows

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

Listing Driver Versions on Windows for a Specific Keyword (e.g., VMware)

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Enumerating Binaries That AutoElevate
Understanding which binaries autoelevate can be crucial for privilege escalation. Here's how to query the AlwaysInstalledElevated registry:

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

If the AlwaysInstallElevated registry setting is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges. This can be exploited for privilege escalation.

In conclusion, privilege escalation in Windows requires a comprehensive understanding of the system and the techniques to enumerate its elements. By following these commands and techniques, you can gather the information needed to identify and exploit vulnerabilities for privilege escalation. Remember to always follow ethical hacking practices and obtain proper authorization before conducting any penetration testing.