Skip to main content

The Mindset

When you land on a Windows target, three questions drive everything:
  • Who am I? — Your user, privileges, and group memberships
  • What can I do? — Enabled privileges, especially the ones that lead to escalation
  • What is this machine? — OS version, patch level, scheduled tasks, services

Who Am I?

whoami — Current User

whoami
# win01\john
The output is in COMPUTERNAME\USERNAME format. The hostname is the name assigned to the machine itself — set during Windows installation or by an admin. It’s what identifies this computer on the local network, like a label on a box. win01 is that label. john is the user account on it. On a domain-joined machine it shows DOMAIN\USERNAME instead — that tells you whether you’re a local account or a domain account at a glance.

whoami /priv — Your Privileges

This is the single most important enumeration command on Windows. It lists the privileges assigned to your token — and several of them are direct paths to SYSTEM. A token is Windows’ internal representation of your security context. Every process runs under one. When you log in or a service starts, Windows creates a token and attaches it to your session — it holds your identity (SID), your group memberships, and your privileges. whoami /priv reads that token and shows you what rights the OS will honour for anything your process tries to do. Tokens are kernel objects — they live in kernel memory, not as files on disk. The easiest way to see your full token is whoami /all, which combines your user, groups, and privileges into one view: 
whoami /all

USER INFORMATION
----------------
User Name  SID
========== =============================================
ws01\john  S-1-5-21-674899381-4069889467-2080702030-1002

GROUP INFORMATION
-----------------
Group Name                       Type             SID          Attributes
================================ ================ ============ ==========================
BUILTIN\Administrators           Alias            S-1-5-32-544 Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label         S-1-16-12288 Integrity

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= =======
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeDebugPrivilege              Debug programs                            Enabled
To inspect the token of another running process (for example, to see if a SYSTEM process has a token you can steal), use a tool like Process Hacker — right-click any process → Properties → Token tab. 
whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= =======
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled
What these privileges mean:
PrivilegeWhat It DoesWhy It Matters
SeChangeNotifyPrivilegeBypass directory traversal checks to navigate folders without explicit permissionsMinor — enabled for almost everyone, rarely useful
SeImpersonatePrivilegeImpersonate a client after authenticationMajor — leads to SYSTEM via Potato attacks (JuicyPotato, PrintSpoofer, etc.)
SeIncreaseWorkingSetPrivilegeIncrease the memory available to a processMinor
SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege are the privileges to look for. Service accounts (like iis apppool, mssql) usually have them — and they turn a service-account shell into SYSTEM with a Potato exploit.
High-value privileges to always watch for:
PrivilegeEscalation Path
SeImpersonatePrivilegePotato attacks → SYSTEM
SeAssignPrimaryTokenPrivilegeToken manipulation → SYSTEM
SeBackupPrivilegeRead any file (SAM, SYSTEM hives) → credential theft
SeRestorePrivilegeWrite any file → overwrite system binaries
SeDebugPrivilegeAccess any process memory → dump LSASS
SeTakeOwnershipPrivilegeTake ownership of any object → grant yourself access
SeLoadDriverPrivilegeLoad a malicious kernel driver → SYSTEM

What Groups Am I In?

whoami /groups — Group Memberships

whoami /groups

GROUP INFORMATION
-----------------
Group Name                           Type             SID          Attributes
==================================== ================ ============ ==========
BUILTIN\Event Log Readers            Alias            S-1-5-32-573 Enabled group
BUILTIN\Remote Desktop Users         Alias            S-1-5-32-555 Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Enabled group
NT AUTHORITY\NETWORK                 Well-known group S-1-5-2      Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288
The output has four columns. Type and Attributes are the ones that need explanation: Type — what kind of security principal this entry is:
TypeMeaning
AliasA local security group stored on this machine. BUILTIN groups (Administrators, Users, Remote Desktop Users) are always Alias type.
Well-known groupA group predefined by Windows with a fixed SID that is the same on every Windows machine — things like NT AUTHORITY\Authenticated Users.
LabelNot a group at all — this is the Mandatory Integrity Level marker on your token (see below).
Domain groupA group from Active Directory. Only appears on domain-joined machines.
Attributes — what role the group currently plays in your token:
AttributeMeaning
Mandatory group, Enabled by default, Enabled groupAlways in your token and always active. Cannot be removed or disabled for the lifetime of this session.
Enabled groupActive and used for access checks right now.
Deny onlyThe group is in your token but can only match deny rules — it cannot grant you access to anything. Seen on restricted tokens.
IntegrityMarks the Mandatory Label entry — it’s an integrity level, not a real group membership.
Groups worth noting:
GroupWhy It Matters
AdministratorsFull control — you’ve already won
Remote Desktop UsersCan RDP into the box
Remote Management UsersCan use WinRM / PowerShell Remoting
Backup OperatorsCan read/write any file regardless of ACL → credential theft
Event Log ReadersCan read event logs — may contain credentials in command lines
DnsAdminsCan load a malicious DLL into the DNS service → SYSTEM
Hyper-V AdministratorsEffective control over the host
The Mandatory Label at the bottom shows your integrity level. Windows tags every process with one of these levels and enforces a rule: a lower-integrity process cannot write to or influence a higher-integrity one. There are four levels:
LabelWhat it means
LowSandboxed — used by things like browser tab processes. Very restricted write access.
MediumStandard logged-in user. Most processes run here. UAC has not been bypassed.
HighElevated — you clicked “Run as administrator” or bypassed UAC. Admin-level token.
SystemThe OS itself. Services like LSASS and the kernel run here. This is the escalation target.
When you see High Mandatory Level in your groups output, your current process is already elevated. Medium means you have admin group membership but UAC is still limiting you — bypassing UAC would move you to High.

What Is This Machine?

systeminfo — Full System Details

systeminfo
This shows OS version, build, install date, hotfixes, and network config — everything you need for CVE research. Note that it can fail with Access denied for low-privilege users in some configurations: 
systeminfo
# Program 'systeminfo.exe' failed to run: Access is denied
If it’s blocked, fall back to PowerShell (see below).

wmic qfe — Installed Patches

qfe stands for Quick Fix Engineering — it lists installed Windows updates. Compare these against known CVEs to find missing patches. 
wmic qfe
# Lists all installed hotfixes (KB numbers and install dates)
Like systeminfo, this may return Access denied for limited accounts.

PowerShell — OS Version (when CMD tools are blocked)

# OS version and build number
Get-WmiObject -Class Win32_OperatingSystem | select Version,BuildNumber

# Version    BuildNumber
# -------    -----------
# 10.0.19041 19041
The build number (e.g. 19041) maps to a specific Windows release — search it to find applicable exploits.

Scheduled Tasks

If you can modify a script that a privileged task runs, that’s a direct escalation path. 
# List all scheduled tasks in full detail
schtasks /query /fo LIST /v
What to look for in the output: 
TaskName:        \CorpBackupAgent
Task To Run:     powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\ProgramData\CorpBackup\Scripts\backupprep.ps1
Run As User:     Administrator
Scheduled Task State: Enabled
Repeat: Every:   0 Hour(s), 2 Minute(s)
This is gold:
  • Run As User: Administrator — the script runs with admin privileges
  • Task To Run — points to backupprep.ps1, a script on disk
  • Repeat: Every 2 minutes — runs frequently, so you don’t have to wait long
Check the script’s permissions with icacls (covered on the Permissions & icacls page).
Filter for non-Microsoft tasks — those are the custom ones admins set up, and they’re far more likely to be misconfigured than the built-in Windows tasks. The author field and a script path outside C:\Windows are the tells.In PowerShell, filter them directly:
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft*' } | Select-Object TaskName, TaskPath
Or from CMD, pipe through findstr and look for lines where the author is not Microsoft:
schtasks /query /fo LIST /v | findstr /i "TaskName: Run As User: Task To Run:"
Any task running as Administrator or SYSTEM with a script path in C:\ProgramData, C:\Temp, or another user-writable directory is worth examining.

Security Identifiers (SID)

Every user and group has a unique SID. Windows tracks rights by SID, not by name — so two users named the same are still distinct. 
whoami /user

USER INFORMATION
----------------
User Name  SID
========== =============================================
ws01\bob   S-1-5-21-674899381-4069889467-2080702030-1002
SID breakdown: 
S    -  1         -  5                   -  21  -  674899381-4069889467-2080702030  -  1002
│       │            │                      │      │                                   │
SID  Revision    Identifier Authority    Type   Domain/Computer identifier            RID
PartMeaning
SMarks the string as a SID
1Revision level (always 1)
5Identifier authority (5 = NT Authority)
21Sub-authority type. 21 means this is a domain or machine-local account SID (as opposed to built-in SIDs like S-1-5-32 which use a different number and have no machine identifier after them).
674899381-4069889467-2080702030Three random 32-bit numbers generated once when the domain or local machine was first set up. Together they form a unique fingerprint for the issuing machine or domain. No two machines share this combination — it’s what makes SIDs globally unique across installations.
1002The RID — distinguishes the account. 500 = built-in Administrator, 501 = Guest, 512 = Domain Admins
RID 500 is always the real local Administrator account, even if it’s been renamed. RID 1000+ are regular accounts created after install.
Next: Windows Architecture & File System — the directory structure, file systems, and where the interesting files live.