April 1, 2016 · pentesting privesc

Basic Windows Privilege Escalation

As I have been working through my OSCP course I have had to reference several cheat sheets and blog posts for windows enumeration, and while its not a major inconvenience, I figured I would put what I already knew and what I have found in one location for everyone's benefit. This list is by no means complete and I will update it as I come across more information and from what is contributed in the comments. Note: this is heavily influenced by g0tmilk's Linux Privilege Escalation post, so the overall layout credit goes to him.

Operating System

What version of windows is running? Is it 32 or 64-bit?

more c:\boot.ini
wmic os get osarchitecture


set computername

What drives are there? Are any being shared?

wmic logicaldisk get caption,description,providername
net share
wmic share
net use

What can the OS variables tell you?

more C:\WINDOWS\System32\drivers\etc\hosts
more C:\WINDOWS\System32\drivers\etc\networks
more C:\Users\username\AppData\Local\Temp
echo %path%
tree (massive output)
wmic context
wmic bootconfig
wmic environment
wmic loadorder
wmic startup

What patches are installed?

wmic qfe

What services are installed/running?

wmic service
net start
sc query


What is the current network config? What is this machine talking to?

ipconfig /allcompartments /all
wmic nicconfig get description,IPAddress,MACaddress
route PRINT
netstat -ano
arp -a
wmic nicconfig get macaddress,caption

What is the firewall configuration?

netsh dump
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewallinfo.txt"

Is the machine on a domain?

set userdomain
net view /domain

Installed Software

What software is currently running? What is installed?

tasklist /svc
tasklist /fi “pid eq PID”
tasklist /fi “username eq USERNAME”
driverquery /v
wmic sysdriver
wmic product

User Info

Who is logged in? Who is an administrator? Who belongs to what group/domain?

set username
echo %username%
net users
wmic group
net localgroup
net localgroup administrators
wmic useraccount


What is in the registry?

reg query
reg query "HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon" /v LastUsedUsername

Hardware Information

What is installed in this PC?

wmic bios
wmic baseboard get manufacturer
wmic cdrom
wmic cpu list full
wmic csproduct