Windows Privilege Escalation Scripts & Techniques


This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.


SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.

JAWS — Just Another Windows (Enum) Script

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.


Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).


PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Windows Privesc Check (WPC-PS)

After trying to fix the code of the original Windows Privesc Check tool and crying rivers of blood I decided to look for a more appropriate tool for the task. This is an experiment to implement similar functionality in Powershell, that is available by default in every Windows installation since Windows 7/Server 2008 R2.


PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Metasploit Windows Gather Applied Patches


Metasploit Local Exploit Suggester Module



BeRoot(s) is a post exploitation tool to check common Windows misconfigurations to find a way to escalate our privilege.


Windows batch script that finds misconfiguration issues which can lead to privilege escalation. Script uses accesschk.exe from Sysinternals. This executable is mandatory. Few checks also use Listdlls.exe and pipelist.exe from Sysinternals. Those executables are optional.

Exploit Database (EDB)

The Exploit Database (EDB) is a CVE compliant archive of exploits and vulnerable software. A great resource for penetration testers, vulnerability researchers, and security addicts alike. exploit-db will help you to find out windows local exploit by searching through google or using tools like searchsploit.

Common Windows Privilege Escalation Vectors

  1. Stored Credentials
  2. Windows Kernel Exploit
  3. DLL Injection
  4. Unattended Answer File
  5. Insecure File/Folder Permissions
  6. Insecure Service Permissions
  7. DLL Hijacking
  8. Group Policy Preferences
  9. Unquoted Service Path
  10. Always Install Elevated
  11. Token Manipulation
  12. Insecure Registry Permissions
  13. Autologon User Credential
  14. User Account Control (UAC) Bypass
  15. Insecure Named Pipes Permissions




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rahmat Nurfauzi

Rahmat Nurfauzi


Red Teamer, Threat Hunter & Security Researcher. Contributors of Mitre ATT&CK Framework, PS Empire, LOLBins, Atomic Red Team and more.