((,.,/((((((((((((((((((((/, */ ,/*,..*(((((((((((((((((((((((((((((((((, ,*/((((((((((((((((((/, .*//((//**, .*((((((* ((((((((((((((((* *****,,,/########## .(* ,(((((( (((((((((((/* ******************/####### .(. (((((( ((((((..******************/@@@@@/***/###### /(((((( ,,..**********************@@@@@@@@@@(***,#### ../((((( , ,**********************#@@@@@#@@@@*********##((/ /(((( ..(((##########*********/#@@@@@@@@@/*************,,..(((( .(((################(/******/@@@@@#****************.. /(( .((########################(/************************..*( .((#############################(/********************.,( .((##################################(/***************..( .((######################################(************..( .((######(,.***.,(###################(..***(/*********..( .((######*(#####((##################((######/(********..( .((##################(/**********(################(**...( .(((####################/*******(###################.(((( .(((((############################################/ /(( ..(((((#########################################(..(((((. ....(((((#####################################( .((((((. ......(((((#################################( .(((((((. (((((((((. ,(############################(../(((((((((. (((((((((/, ,####################(/..((((((((((. (((((((((/,. ,*//////*,. ./(((((((((((. (((((((((((((((((((((((((((/ by carlospolop /!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script WinPEAS should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. [i] Best Linux PE and hardening course: https://hacktricks-training.com/courses/lhe/ [*] BASIC SYSTEM INFO [+] WINDOWS OS [i] Check for vulnerabilities for the OS version with the applied patches [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits Access is denied. No Instance(s) Available. Access is denied. [+] DATE and TIME [i] You may need to adjust your local date/time to exploit some vulnerability Sat 05/30/2026 12:48 PM [+] Audit Settings [i] Check what is being logged [+] WEF Settings [i] Check where are being sent the logs [+] Legacy Microsoft LAPS installed? [i] Check what is being logged [+] Windows LAPS installed? [i] Check what is being logged: 0x00 Disabled, 0x01 Backup to Entra, 0x02 Backup to Active Directory [+] LSA protection? [i] Active if "1" [+] Credential Guard? [i] Active if "1" or "2" [+] WDigest? [i] Plain-text creds in memory if "1" [+] Number of cached creds [i] You need System-rights to extract them HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon CACHEDLOGONSCOUNT REG_SZ 10 [+] UAC Settings [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA REG_DWORD 0x1 [+] Registered Anti-Virus(AV) ERROR: Description = Invalid namespace Checking for defender whitelisted PATHS [+] PowerShell settings PowerShell v2 Version: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion REG_SZ 2.0 PowerShell v5 Version: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion REG_SZ 5.1.17763.1 Transcriptions Settings: Module logging settings: Scriptblog logging settings: PS default transcript history Checking PS history file [+] MOUNTED DISKS [i] Maybe you find something interesting Caption C: D: G: [+] ENVIRONMENT [i] Interesting information? CurrentFolder=C:\inetpub\wwwroot\bhmahad\ CurrentLine= [+] ENVIRONMENT E=[ ESC= expl=no long=false Percentage=1 PercentageTrack=20 PROMPT=$P$G _FCGI_X_PIPE_=\\.\pipe\IISFCGI-9dc70f35-79e1-4e33-8ea9-239388afa43b ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Windows\system32\config\systemprofile\AppData\Roaming APP_POOL_CONFIG=C:\inetpub\temp\apppools\bmmumahad.in\bmmumahad.in.config APP_POOL_ID=bmmumahad.in CommonProgramFiles=C:\Program Files\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=WTSERVER ComSpec=C:\Windows\system32\cmd.exe DriverData=C:\Windows\System32\Drivers\DriverData LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\Local NUMBER_OF_PROCESSORS=16 OS=Windows_NT Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\php;C:\inetpub\wwwroot\phpMyAdmin;C:\Program Files\Git\cmd;C:\Program Files\Git;C:\ProgramData\ComposerSetup\bin;C:\Program Files\nodejs\;C:\Program Files\MySQL\MySQL Shell 8.0\bin\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;C:\Users\Administrator\AppData\Roaming\Composer\vendor\bin;C:\Users\Administrator\AppData\Local\Programs\Microsoft VS Code\bin;C:\Users\Administrator\AppData\Roaming\npm;C:\docker;C:\Program Files\Docker;C:\Program Files\dotnet\;C:\ffmpeg\bin;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 183 Stepping 1, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=b701 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules PUBLIC=C:\Users\Public SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Windows\TEMP TMP=C:\Windows\TEMP USERDOMAIN=WTTECH USERNAME=WTSERVER$ USERPROFILE=C:\Windows\system32\config\systemprofile windir=C:\Windows ZES_ENABLE_SYSMAN=1 [+] INSTALLED SOFTWARE [i] Some weird software? Check for vulnerabilities in unknow software installed [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications AnyDesk Common Files Common Files ComposerSetup docker dotnet dotnet Git Google Google HiLookVision Station IIS IIS internet explorer Internet Explorer iVMS-4200 Site LogMeIn Rescue Applet Microsoft.NET MongoDB MSBuild MSBuild MySQL MySQL nodejs Notepad++ PackageManagement PostgreSQL PostgreSQL Reference Assemblies Reference Assemblies Skillbrains UltraViewer Windows Defender Windows Defender Windows Defender Advanced Threat Protection Windows Mail Windows Mail Windows Media Player Windows Media Player Windows Multimedia Platform Windows Multimedia Platform windows nt windows nt Windows Photo Viewer Windows Photo Viewer Windows Portable Devices Windows Portable Devices Windows Security WindowsPowerShell WindowsPowerShell WinRAR InstallLocation REG_SZ C:\Program Files\Git\ InstallLocation REG_SZ C:\Program Files\PostgreSQL\18 InstallLocation REG_SZ C:\Windows\system32 InstallLocation REG_SZ C:\Program Files\WinRAR InstallLocation REG_SZ C:\Program Files\MySQL\MySQL Shell 8.0 InstallLocation REG_SZ C:\Program Files\MySQL\MySQL Server 8.0\ InstallLocation REG_SZ C:\Program Files\MySQL\MySQL Router 8.0\ InstallLocation REG_SZ C:\Program Files\MySQL\MySQL Workbench 8.0 InstallLocation REG_SZ "C:\Program Files (x86)\AnyDesk" InstallLocation REG_SZ C:\Program Files\Google\Chrome\Application InstallLocation REG_SZ C:\Program Files (x86)\PostgreSQL\Npgsql InstallLocation REG_SZ C:\Program Files (x86)\PostgreSQL\pgJDBC InstallLocation REG_SZ C:\Program Files (x86)\MySQL\Samples and Examples 8.0 InstallLocation REG_SZ C:\Program Files (x86)\Skillbrains\lightshot\ InstallLocation REG_SZ C:\Program Files (x86)\ComposerSetup\ InstallLocation REG_SZ C:\Program Files (x86)\MySQL\MySQL Documentation 8.0 InstallLocation REG_SZ C:\Program Files (x86) InstallLocation REG_SZ C:\Program Files (x86)\UltraViewer\ [+] Remote Desktop Credentials Manager [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager [+] WSUS [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus [+] RUNNING PROCESSES [i] Something unexpected is running? Check for vulnerabilities [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes Image Name PID Services ========================= ======== ============================================ System Idle Process 0 N/A System 4 N/A Secure System 104 N/A Registry 176 N/A smss.exe 708 N/A csrss.exe 900 N/A wininit.exe 996 N/A csrss.exe 1004 N/A services.exe 784 N/A winlogon.exe 884 N/A LsaIso.exe 1056 N/A lsass.exe 1064 N/A svchost.exe 1320 N/A svchost.exe 1344 N/A svchost.exe 1388 N/A svchost.exe 1432 N/A svchost.exe 1548 N/A svchost.exe 1588 N/A svchost.exe 1596 N/A svchost.exe 1604 N/A svchost.exe 1700 N/A svchost.exe 1736 N/A LogonUI.exe 1776 N/A svchost.exe 1800 N/A svchost.exe 1808 N/A svchost.exe 1928 N/A IntelCpHDCPSvc.exe 1936 N/A svchost.exe 1968 N/A dwm.exe 2020 N/A svchost.exe 2044 N/A svchost.exe 2084 N/A svchost.exe 2108 N/A svchost.exe 2128 N/A svchost.exe 2176 N/A svchost.exe 2184 N/A svchost.exe 2192 N/A svchost.exe 2200 N/A svchost.exe 2436 N/A svchost.exe 2460 N/A svchost.exe 2532 N/A svchost.exe 2560 N/A svchost.exe 2568 N/A svchost.exe 2576 N/A svchost.exe 2732 N/A svchost.exe 2752 N/A svchost.exe 2796 N/A svchost.exe 2884 N/A svchost.exe 1452 N/A svchost.exe 1380 N/A svchost.exe 1252 N/A svchost.exe 3324 N/A svchost.exe 3344 N/A audiodg.exe 3484 N/A svchost.exe 3588 N/A svchost.exe 3868 N/A svchost.exe 3716 N/A svchost.exe 3684 N/A svchost.exe 4508 N/A spoolsv.exe 4740 N/A AnyDesk.exe 4964 N/A Microsoft.ActiveDirectory 4972 N/A OneApp.IGCC.WinService.ex 4980 N/A svchost.exe 4988 N/A svchost.exe 4996 N/A svchost.exe 5004 N/A svchost.exe 5016 N/A svchost.exe 5024 N/A svchost.exe 5032 N/A SMSvcHost.exe 5048 N/A svchost.exe 5056 N/A svchost.exe 5068 N/A ssh-agent.exe 5076 N/A UltraViewer_Service.exe 5096 N/A nssm.exe 5104 N/A sshd.exe 5112 N/A pg_ctl.exe 8 N/A WMIRegistrationService.ex 4140 N/A svchost.exe 4296 N/A MpDefenderCoreService.exe 4328 N/A svchost.exe 4320 N/A svchost.exe 4088 N/A svchost.exe 1104 N/A dfsrs.exe 1280 N/A MsMpEng.exe 4528 N/A ismserv.exe 5140 N/A jhi_service.exe 5156 N/A dockerd.exe 5208 N/A mysqld.exe 5252 N/A mongod.exe 5288 N/A conhost.exe 5536 N/A mqsvc.exe 5576 N/A dfssvc.exe 5688 N/A svchost.exe 6232 N/A svchost.exe 6596 N/A svchost.exe 6704 N/A mysqld.exe 7116 N/A conhost.exe 7156 N/A svchost.exe 7248 N/A vds.exe 7380 N/A SMSvcHost.exe 8008 N/A svchost.exe 8188 N/A svchost.exe 8240 N/A dllhost.exe 3840 N/A fontdrvhost.exe 9432 N/A fontdrvhost.exe 9440 N/A python.exe 9672 N/A python.exe 9704 N/A postgres.exe 9780 N/A conhost.exe 9788 N/A postgres.exe 10096 N/A postgres.exe 10128 N/A postgres.exe 10136 N/A postgres.exe 10144 N/A postgres.exe 10152 N/A postgres.exe 10176 N/A postgres.exe 5996 N/A postgres.exe 5828 N/A postgres.exe 9572 N/A NisSrv.exe 11376 N/A svchost.exe 3264 N/A msdtc.exe 18464 N/A svchost.exe 18612 N/A svchost.exe 19088 N/A svchost.exe 19236 N/A svchost.exe 37868 N/A csrss.exe 46792 N/A winlogon.exe 46268 N/A fontdrvhost.exe 51264 N/A rdpclip.exe 29556 N/A sihost.exe 49724 N/A svchost.exe 17288 N/A svchost.exe 57388 N/A svchost.exe 79028 N/A ctfmon.exe 14312 N/A taskhostw.exe 73636 N/A RuntimeBroker.exe 32264 N/A smartscreen.exe 17680 N/A AnyDesk.exe 38152 N/A Lightshot.exe 12004 N/A svchost.exe 49740 N/A iVMS-4200.Framework.S.exe 59020 N/A CrashServerDamon.exe 30392 N/A conhost.exe 80308 N/A nginx.exe 11580 N/A WatchDog.exe 78020 N/A nginx.exe 74556 N/A conhost.exe 68540 N/A iVMS-4200.AccessControlle 49868 N/A conhost.exe 90340 N/A iVMS-4200.PersonalManagem 89532 N/A conhost.exe 56900 N/A CrashServerDamon.exe 51892 N/A conhost.exe 29620 N/A CrashServerDamon.exe 62148 N/A iVMS-4200.Attendance.S.ex 53660 N/A conhost.exe 1772 N/A iVMS-4200.Topology.S.exe 41768 N/A conhost.exe 45484 N/A conhost.exe 46828 N/A CrashServerDamon.exe 69404 N/A conhost.exe 38444 N/A CrashServerDamon.exe 17400 N/A conhost.exe 44848 N/A iVMS-4200.DeviceManagemen 44380 N/A conhost.exe 85136 N/A CrashServerDamon.exe 31156 N/A conhost.exe 84112 N/A DecodeProcess.exe 80644 N/A conhost.exe 62160 N/A dllhost.exe 61236 N/A conhost.exe 1992 N/A dwm.exe 45016 N/A svchost.exe 93892 N/A ApplicationFrameHost.exe 95600 N/A svchost.exe 61548 N/A svchost.exe 64560 N/A RuntimeBroker.exe 46244 N/A SecurityHealthService.exe 112996 N/A csrss.exe 89704 N/A winlogon.exe 85780 N/A fontdrvhost.exe 26196 N/A dwm.exe 83316 N/A rdpclip.exe 116200 N/A sihost.exe 73596 N/A svchost.exe 76552 N/A svchost.exe 110192 N/A taskhostw.exe 49200 N/A explorer.exe 27264 N/A ShellExperienceHost.exe 12960 N/A SearchUI.exe 20548 N/A RuntimeBroker.exe 19728 N/A RuntimeBroker.exe 15716 N/A ctfmon.exe 31616 N/A UltraViewer_Desktop.exe 116684 N/A UltraViewer_Desktop.exe 15120 N/A smartscreen.exe 31256 N/A svchost.exe 87548 N/A RuntimeBroker.exe 91600 N/A AnyDesk.exe 50300 N/A Lightshot.exe 31564 N/A svchost.exe 13408 N/A svchost.exe 91620 N/A dns.exe 36900 N/A w3wp.exe 34068 N/A w3wp.exe 16008 N/A w3wp.exe 22604 N/A explorer.exe 88796 N/A ShellExperienceHost.exe 79596 N/A SearchUI.exe 53640 N/A RuntimeBroker.exe 84744 N/A nssm.exe 46724 N/A w3wp.exe 59208 N/A w3wp.exe 52864 N/A w3wp.exe 91700 N/A MpCmdRun.exe 96316 N/A w3wp.exe 74252 N/A w3wp.exe 81016 N/A w3wp.exe 47204 N/A w3wp.exe 1996 N/A w3wp.exe 80860 N/A w3wp.exe 114268 N/A w3wp.exe 107780 N/A w3wp.exe 59820 N/A LogonUI.exe 72520 N/A w3wp.exe 76484 N/A w3wp.exe 25944 N/A w3wp.exe 38572 N/A w3wp.exe 56880 N/A w3wp.exe 43996 N/A w3wp.exe 107832 N/A w3wp.exe 108608 N/A MpCmdRun.exe 58548 N/A conhost.exe 108584 N/A w3wp.exe 109380 N/A w3wp.exe 74648 N/A w3wp.exe 53600 N/A w3wp.exe 25928 N/A w3wp.exe 79384 N/A w3wp.exe 63460 N/A w3wp.exe 106504 N/A php-cgi.exe 91356 N/A w3wp.exe 102868 N/A w3wp.exe 107144 N/A php-cgi.exe 27328 N/A w3wp.exe 102084 N/A w3wp.exe 100680 N/A w3wp.exe 77480 N/A w3wp.exe 48920 N/A w3wp.exe 77588 N/A w3wp.exe 11520 N/A php-cgi.exe 59008 N/A w3wp.exe 31312 N/A w3wp.exe 103396 N/A w3wp.exe 103352 N/A w3wp.exe 110160 N/A php-cgi.exe 110156 N/A w3wp.exe 41080 N/A php-cgi.exe 74012 N/A php-cgi.exe 23408 N/A w3wp.exe 14668 N/A w3wp.exe 107412 N/A w3wp.exe 16592 N/A w3wp.exe 111852 N/A w3wp.exe 82348 N/A w3wp.exe 89844 N/A w3wp.exe 41464 N/A w3wp.exe 93888 N/A php-cgi.exe 42960 N/A w3wp.exe 67336 N/A php-cgi.exe 50060 N/A php-cgi.exe 20724 N/A php-cgi.exe 115028 N/A w3wp.exe 45180 N/A php-cgi.exe 100084 N/A php-cgi.exe 76512 N/A w3wp.exe 83840 N/A w3wp.exe 8856 N/A w3wp.exe 114008 N/A w3wp.exe 73964 N/A w3wp.exe 64736 N/A php-cgi.exe 34660 N/A php-cgi.exe 112256 N/A php-cgi.exe 44116 N/A w3wp.exe 13340 N/A w3wp.exe 92428 N/A w3wp.exe 31400 N/A php-cgi.exe 53748 N/A w3wp.exe 17384 N/A w3wp.exe 63724 N/A w3wp.exe 82868 N/A w3wp.exe 14092 N/A w3wp.exe 45280 N/A w3wp.exe 85096 N/A php-cgi.exe 38132 N/A w3wp.exe 112748 N/A php-cgi.exe 69284 N/A w3wp.exe 87756 N/A w3wp.exe 76520 N/A w3wp.exe 58556 N/A php-cgi.exe 18888 N/A w3wp.exe 68500 N/A w3wp.exe 23524 N/A w3wp.exe 38300 N/A w3wp.exe 40536 N/A w3wp.exe 23028 N/A LogonUI.exe 50656 N/A php-cgi.exe 42720 N/A w3wp.exe 20752 N/A w3wp.exe 39340 N/A w3wp.exe 77300 N/A php-cgi.exe 67192 N/A php-cgi.exe 12524 N/A php-cgi.exe 27428 N/A w3wp.exe 71664 N/A php-cgi.exe 104132 N/A php-cgi.exe 49960 N/A php-cgi.exe 65252 N/A w3wp.exe 37036 N/A w3wp.exe 65080 N/A w3wp.exe 34728 N/A php-cgi.exe 18248 N/A php-cgi.exe 91560 N/A php-cgi.exe 47256 N/A w3wp.exe 12484 N/A php-cgi.exe 13656 N/A php-cgi.exe 50672 N/A w3wp.exe 4588 N/A w3wp.exe 107680 N/A w3wp.exe 78480 N/A php-cgi.exe 60260 N/A w3wp.exe 13220 N/A w3wp.exe 84640 N/A w3wp.exe 108952 N/A w3wp.exe 113344 N/A w3wp.exe 58116 N/A w3wp.exe 111568 N/A w3wp.exe 113860 N/A php-cgi.exe 17992 N/A w3wp.exe 83400 N/A w3wp.exe 75880 N/A w3wp.exe 107076 N/A w3wp.exe 90608 N/A php-cgi.exe 29916 N/A w3wp.exe 29228 N/A php-cgi.exe 36400 N/A w3wp.exe 65020 N/A php-cgi.exe 71696 N/A w3wp.exe 30836 N/A w3wp.exe 17204 N/A w3wp.exe 3804 N/A w3wp.exe 110208 N/A w3wp.exe 69256 N/A php-cgi.exe 75456 N/A w3wp.exe 103124 N/A w3wp.exe 24092 N/A php-cgi.exe 60024 N/A php-cgi.exe 45204 N/A php-cgi.exe 75260 N/A w3wp.exe 42632 N/A w3wp.exe 72168 N/A w3wp.exe 36036 N/A w3wp.exe 109912 N/A php-cgi.exe 80220 N/A w3wp.exe 64992 N/A php-cgi.exe 81128 N/A w3wp.exe 42244 N/A w3wp.exe 79132 N/A w3wp.exe 22960 N/A w3wp.exe 46668 N/A w3wp.exe 88052 N/A php-cgi.exe 84312 N/A w3wp.exe 56228 N/A php-cgi.exe 90844 N/A php-cgi.exe 3984 N/A w3wp.exe 47580 N/A php-cgi.exe 68200 N/A php-cgi.exe 88652 N/A php-cgi.exe 72032 N/A php-cgi.exe 44624 N/A w3wp.exe 112672 N/A php-cgi.exe 54416 N/A w3wp.exe 30176 N/A w3wp.exe 114592 N/A php-cgi.exe 46676 N/A php-cgi.exe 111352 N/A php-cgi.exe 47728 N/A php-cgi.exe 41432 N/A php-cgi.exe 91604 N/A php-cgi.exe 5408 N/A w3wp.exe 45416 N/A php-cgi.exe 83336 N/A php-cgi.exe 14224 N/A w3wp.exe 37964 N/A php-cgi.exe 92632 N/A php-cgi.exe 107724 N/A w3wp.exe 45336 N/A php-cgi.exe 68244 N/A w3wp.exe 26532 N/A php-cgi.exe 20660 N/A w3wp.exe 37652 N/A php-cgi.exe 46040 N/A php-cgi.exe 38840 N/A php-cgi.exe 36048 N/A iVMS-4200.AlarmCenter.S.e 13160 N/A conhost.exe 82384 N/A CrashServerDamon.exe 38128 N/A conhost.exe 105324 N/A php-cgi.exe 7748 N/A w3wp.exe 105156 N/A php-cgi.exe 23400 N/A php-cgi.exe 2304 N/A php-cgi.exe 110796 N/A php-cgi.exe 96700 N/A php-cgi.exe 37932 N/A php-cgi.exe 47000 N/A php-cgi.exe 85680 N/A php-cgi.exe 63708 N/A php-cgi.exe 68080 N/A php-cgi.exe 114812 N/A php-cgi.exe 20208 N/A w3wp.exe 58544 N/A w3wp.exe 42744 N/A php-cgi.exe 87684 N/A php-cgi.exe 80828 N/A php-cgi.exe 54652 N/A php-cgi.exe 93272 N/A w3wp.exe 16224 N/A php-cgi.exe 60908 N/A php-cgi.exe 67008 N/A php-cgi.exe 41976 N/A php-cgi.exe 101896 N/A php-cgi.exe 114508 N/A php-cgi.exe 45052 N/A php-cgi.exe 61724 N/A php-cgi.exe 112060 N/A php-cgi.exe 28076 N/A php-cgi.exe 32996 N/A php-cgi.exe 42228 N/A php-cgi.exe 92880 N/A php-cgi.exe 24616 N/A php-cgi.exe 65484 N/A php-cgi.exe 32984 N/A php-cgi.exe 108344 N/A php-cgi.exe 42912 N/A php-cgi.exe 45396 N/A w3wp.exe 38144 N/A php-cgi.exe 113208 N/A w3wp.exe 73224 N/A php-cgi.exe 63484 N/A php-cgi.exe 51660 N/A php-cgi.exe 4664 N/A php-cgi.exe 74500 N/A w3wp.exe 64212 N/A php-cgi.exe 20500 N/A php-cgi.exe 31036 N/A php-cgi.exe 37336 N/A w3wp.exe 40492 N/A php-cgi.exe 56596 N/A php-cgi.exe 49436 N/A php-cgi.exe 107336 N/A php-cgi.exe 97628 N/A php-cgi.exe 114636 N/A php-cgi.exe 75564 N/A php-cgi.exe 21860 N/A php-cgi.exe 27532 N/A php-cgi.exe 108028 N/A php-cgi.exe 21588 N/A php-cgi.exe 29056 N/A php-cgi.exe 56400 N/A php-cgi.exe 6612 N/A php-cgi.exe 97696 N/A php-cgi.exe 292 N/A php-cgi.exe 43124 N/A php-cgi.exe 72160 N/A conhost.exe 106972 N/A cmd.exe 66396 N/A php.exe 43992 N/A w3wp.exe 100876 N/A php-cgi.exe 27756 N/A php-cgi.exe 111748 N/A php-cgi.exe 116304 N/A php-cgi.exe 99548 N/A php-cgi.exe 14420 N/A php-cgi.exe 113684 N/A php-cgi.exe 76780 N/A php-cgi.exe 49296 N/A php-cgi.exe 40556 N/A php-cgi.exe 42432 N/A php-cgi.exe 74804 N/A php-cgi.exe 58308 N/A php-cgi.exe 33324 N/A php-cgi.exe 25624 N/A WmiPrvSE.exe 57888 N/A php-cgi.exe 65424 N/A php-cgi.exe 61400 N/A w3wp.exe 17112 N/A php-cgi.exe 27780 N/A php-cgi.exe 115824 N/A php-cgi.exe 61672 N/A w3wp.exe 60568 N/A php-cgi.exe 38040 N/A cmd.exe 74028 N/A conhost.exe 4052 N/A php-cgi.exe 84660 N/A tasklist.exe 74668 N/A [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in) [i] Checking directory permissions of running processes (DLL injection) [+] RUN AT STARTUP [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini BUILTIN\Administrators:(F) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini BUILTIN\Administrators:(F) Access is denied.