Skip to content

How do you approach privilege escalation on a Windows target?

Short answer

Enumerate current privileges (whoami /priv), misconfigured services (weak permissions, unquoted service paths), AlwaysInstallElevated, scheduled tasks, stored credentials, and missing patches. WinPEAS or PowerUp automates the sweep; token-privilege abuses like SeImpersonate are common high-value wins.

Windows privesc on the OSCP is, like Linux, mostly about misconfiguration. The challenge is that Windows has many more places for an admin to get it wrong, so structured enumeration is essential.

High-value checks

  • Token privilegeswhoami /priv. Service accounts often hold SeImpersonatePrivilege, which "potato" attacks abuse to impersonate SYSTEM. This is one of the most common exam wins.
  • Service misconfigurations — services whose binary you can overwrite, whose registry key you can edit, or that have weak permissions let you swap the executable and restart for SYSTEM.
  • Unquoted service paths — a service path like C:\Program Files\My App\svc.exe with no quotes lets you plant C:\Program.exe if the directory is writable.
  • AlwaysInstallElevated — when both registry keys are set, any MSI you craft installs as SYSTEM.
  • Stored credentials — Unattend.xml, registry autologon, saved RDP/WiFi creds, and PowerShell history routinely leak passwords.
  • Patch level — missing KBs map to kernel exploits, but as on Linux these are a fallback.

Automate the sweep

WinPEAS, PowerUp (PowerSploit), and SharpUp enumerate all of these quickly and flag the promising ones. As always, automation finds candidates; you verify and exploit them by hand.

Why token abuse stands out

Many real boxes hand you a web-service shell running as a low-privilege service account that nonetheless holds SeImpersonate. Recognising that single privilege turns a dead-end shell into SYSTEM faster than any other path.

What interviewers look for

A concrete list — token privileges, service and path misconfigs, AlwaysInstallElevated, stored creds — and awareness that WinPEAS/PowerUp automate discovery while SeImpersonate is a go-to escalation. Naming only "kernel exploits" misses how most Windows boxes actually fall.

Likely follow-ups

  • How would you exploit a service with a writable binary path?
  • What does the SeImpersonatePrivilege let an attacker do?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.