Windows Fundamentals · intermediate · ~11 min

The Windows privilege model: UAC and tokens

Explain access tokens, privileges, integrity levels, and what UAC really does.

Overview

A process's rights come from its access token (SIDs + named privileges) and integrity level. Privileges like SeImpersonate/SeBackup/SeDebug are paths to SYSTEM. UAC splits admins into a standard + elevated token and is a convenience feature, not a strong boundary.

Why it matters

Windows escalation frequently hinges on token privileges (whoami /priv) — SeImpersonate on a service account is a classic SYSTEM path. Knowing UAC isn't a security boundary keeps reports accurate about what a 'bypass' really means.

Core concepts

Access token. SIDs + privileges, copied to each process. Dangerous privileges. SeImpersonate, SeBackup, SeDebug → SYSTEM/any file/any process. Integrity levels. Low/Medium/High/System gate cross-process actions. UAC. Split token + consent prompt; a speed-bump, not a boundary.

Lesson

Windows decides what a process may do from its access token, not just its username.

Access tokens

When you log on, Windows builds a token carrying your SID, group SIDs, and a set of privileges (named rights like SeDebugPrivilege, SeImpersonatePrivilege, SeBackupPrivilege). Every process you start carries a copy. Some privileges are effectively keys to SYSTEM:

  • SeImpersonatePrivilege → "potato" attacks impersonate SYSTEM (common on service accounts).
  • SeBackupPrivilege → read any file (e.g. the SAM/NTDS database).
  • SeDebugPrivilege → open any process, including SYSTEM's.

Integrity levels

Processes also have an integrity level (Low/Medium/High/System). A Medium-integrity process can't modify a High-integrity one even as the same user — a defence-in-depth layer (browsers run sandboxed tabs Low).

UAC

User Account Control gives admins a standard (Medium) token by default; the elevated (High) token is only used after a consent prompt. UAC is a convenience/speed-bump, not a strong security boundary (Microsoft says so) — numerous bypasses exist. Report a UAC bypass as escalation-within-admin, not as crossing a trust boundary.

Why it matters

Windows privilege escalation is often about token privileges: "I'm a low-priv service account, but I hold SeImpersonatePrivilege, so I can become SYSTEM." Enumerating whoami /priv is a first move.

Summary

Windows authorises by access token and integrity level; specific token privileges are direct routes to SYSTEM, and UAC is a convenience split rather than a real trust boundary — both central to Windows privilege escalation.