winpeas

 [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the ‘fileanalysis’ or ‘all’ argument. Note that this search might take several minutes. For help, run winpeass.exe —help ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run ‘REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1’ and then start a new CMD Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with ‘REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1’ and then start a new CMD 
(((((((((((((((((((((((((((((((( ((((((((((((((((((((((((((((((((((((((((((( ((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######((((((((((( ((((((((/@@@@@/######(((((((((( ((((((@@@@@@@@@@/*,####(((((((((( (((((/@@@@@%@@@@/##((((((((( (((############*/%@@@@@@@@@/(((((((( ((##################(//@@@@@/(((((( ((#########################(/*******((((( ((##############################(/((((( ((###################################(/((((( ((#######################################(((((( ((#######(,..,(###################(...*****((((( ((#######(#####((##################((######/(((((( ((###################(/*****(##############()((((( (((#####################/*******(################)(((((( ((((############################################)(((((( (((((##########################################)((((((( ((((((########################################)((((((( ((((((((####################################)(((((((( (((((((((#################################)((((((((( ((((((((((##########################)((((((((( (((((((((((((((((((((((((((((((((((((( ((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner’s permission.

 WinPEAS-ng by @hacktricks_live  /---------------------------------------------------------------------------------
| Do you like PEASS? | |---------------------------------------------------------------------------------| | Learn Cloud Hacking : training.hacktricks.xyz  | | Follow on Twitter : @hacktricks_live | | Respect on HTB : SirBroccoli  | |---------------------------------------------------------------------------------| | Thank you! | ---------------------------------------------------------------------------------/   [+] Legend:  Red Indicates a special privilege over an object or something is misconfigured  Green Indicates that some protection is enabled or something is well configured  Cyan Indicates active users  Blue Indicates disabled users  LightYellow Indicates links

 You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html  Creating Dynamic lists, this could take a while, please wait…  - Loading sensitive_files yaml definitions file…  - Loading regexes yaml definitions file…  - Checking if domain…  - Getting Win32_UserAccount info… Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at winPEAS.Checks.Checks.a(Boolean A_0)  - Creating current user groups list…  - Creating active users list (local only)…  [X] Exception: Object reference not set to an instance of an object.  - Creating disabled users list…  [X] Exception: Object reference not set to an instance of an object.  - Admin users list…  [X] Exception: Object reference not set to an instance of an object.  - Creating AppLocker bypass list…  - Creating files/directories list for search…

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Basic System Information È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits  [X] Exception: Access denied   [X] Exception: Access denied   [X] Exception: The given key was not present in the dictionary.

ÉÍÍÍÍÍÍÍÍÍ͹ Showing All Microsoft Updates  [X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).

ÉÍÍÍÍÍÍÍÍÍ͹ System Last Shutdown Date/time (from Registry)  Last Shutdown Date/time : 10/10/2024 7:50:09 PM

ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables È Check for some passwords or keys in the env variables   COMPUTERNAME: WS26  PUBLIC: C:\Users\Public  LOCALAPPDATA: C:\Users\r.andrews\AppData\Local  PSModulePath: C:\Users\r.andrews\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules  PROCESSOR_ARCHITECTURE: AMD64  Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Windows\System32\OpenSSH;C:\Users\r.andrews\AppData\Local\Microsoft\WindowsApps  CommonProgramFiles(x86): C:\Program Files (x86)\Common Files  ProgramFiles(x86): C:\Program Files (x86)  PROCESSOR_LEVEL: 6  ProgramFiles: C:\Program Files  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL  USERPROFILE: C:\Users\r.andrews  SystemRoot: C:\Windows  ALLUSERSPROFILE: C:\ProgramData  DriverData: C:\Windows\System32\Drivers\DriverData  ProgramData: C:\ProgramData  PROCESSOR_REVISION: 4f01  USERNAME: r.andrews  CommonProgramW6432: C:\Program Files\Common Files  CommonProgramFiles: C:\Program Files\Common Files  OS: Windows_NT  PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 79 Stepping 1, GenuineIntel  ComSpec: C:\Windows\system32\cmd.exe  SystemDrive: C:  TEMP: C:\Users\R8A361.AND\AppData\Local\Temp  NUMBER_OF_PROCESSORS: 2  APPDATA: C:\Users\r.andrews\AppData\Roaming  TMP: C:\Users\R8A361.AND\AppData\Local\Temp  ProgramW6432: C:\Program Files  windir: C:\Windows  USERDOMAIN: OSCP  USERDNSDOMAIN: oscp.exam

ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables È Check for some passwords or keys in the env variables   ComSpec: C:\Windows\system32\cmd.exe  DriverData: C:\Windows\System32\Drivers\DriverData  OS: Windows_NT  Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Windows\System32\OpenSSH
 PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC  PROCESSOR_ARCHITECTURE: AMD64  PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules  TEMP: C:\Windows\TEMP  TMP: C:\Windows\TEMP  USERNAME: SYSTEM  windir: C:\Windows  NUMBER_OF_PROCESSORS: 2  PROCESSOR_LEVEL: 6  PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 79 Stepping 1, GenuineIntel  PROCESSOR_REVISION: 4f01

ÉÍÍÍÍÍÍÍÍÍ͹ Audit Settings È Check what is being logged   Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Audit Policy Settings - Classic & Advanced

ÉÍÍÍÍÍÍÍÍÍ͹ WEF Settings È Windows Event Forwarding, is interesting to know were are sent the logs   Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ LAPS Settings È If installed, local administrator password is changed frequently and is restricted by ACL   LAPS Enabled: LAPS not installed

ÉÍÍÍÍÍÍÍÍÍ͹ Wdigest È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest  Wdigest is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ LSA Protection È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection  LSA Protection is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ Credentials Guard È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard  CredentialGuard is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ Cached Creds È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials  cachedlogonscount is 10

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating saved credentials in Registry (CurrentPass)

ÉÍÍÍÍÍÍÍÍÍ͹ AV Information  [X] Exception: Access denied   No AV was detected!!  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Windows Defender configuration  Local Settings  Group Policy Settings

ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level—uac-bypasss  ConsentPromptBehaviorAdmin: 0 - No prompting  EnableLUA: 0  LocalAccountTokenFilterPolicy: 1  FilterAdministratorToken: 1  [*] EnableLUA != 1, UAC policies disabled. [+] Any local account can be used for lateral movement.

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings  PowerShell v2 Version: 2.0  PowerShell v5 Version: 5.1.22621.1  PowerShell Core Version:   Transcription Settings:   Module Logging Settings:   Scriptblock Logging Settings:   PS history file:   PS history size: 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating PowerShell Session Settings using the registry You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ PS default transcripts history È Read the PS history inside these files (if any)

ÉÍÍÍÍÍÍÍÍÍ͹ HKCU Internet Settings  CertificateRevocation: 1  DisableCachingOfSSLPages: 0  IE5_UA_Backup_Flag: 5.0  PrivacyAdvanced: 1  SecureProtocols: 10240  User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Win32)

ÉÍÍÍÍÍÍÍÍÍ͹ HKLM Internet Settings  ActiveXCache: C:\Windows\Downloaded Program Files  CodeBaseSearchPath: CODEBASE  EnablePunycode: 1  MinorVersion: 0  WarnOnIntranet: 1

ÉÍÍÍÍÍÍÍÍÍ͹ Drives Information È Remember that you should search more info inside the other drives  C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 24 GB)(Permissions: Authenticated Users [Allow: AppendData/CreateDirectories]) D:\ (Type: CDRom)

ÉÍÍÍÍÍÍÍÍÍ͹ Checking WSUS È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking KrbRelayUp È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup  The system is inside a domain (OSCP) so it could be vulnerable. È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges

ÉÍÍÍÍÍÍÍÍÍ͹ Checking If Inside Container È If the binary cexecsvc.exe or associated service exists, you are inside Docker  You are NOT inside a container

ÉÍÍÍÍÍÍÍÍÍ͹ Checking AlwaysInstallElevated È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated  AlwaysInstallElevated isn’t available

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate LSA settings - auth packages included  auditbasedirectories : 0 auditbaseobjects : 0 Authentication Packages : msv1_0 Bounds : 00-30-00-00-00-20-00-00 crashonauditfail : 0 fullprivilegeauditing : 00 LimitBlankPasswordUse : 1 NoLmHash : 1 Notification Packages : scecli Security Packages : "" LsaPid : 748 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 RunAsPPL : 0 IsPplAutoEnabled : 1 SCENoApplyLegacyAuditPolicy : 0 TurnOffAnonymousBlock : 0 LsaConfigFlags : 0 RunAsPPLBoot : 0

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating NTLM Settings  LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)   NTLM Signing Settings ClientRequireSigning : False ClientNegotiateSigning : True ServerRequireSigning : False ServerNegotiateSigning : False LdapSigning : Negotiate signing (Negotiate signing)  Session Security  NTLMMinClientSec : 536870912 (Require 128-bit encryption)  NTLMMinServerSec : 536870912 (Require 128-bit encryption)   NTLM Auditing and Restrictions InboundRestrictions : (Not defined)  OutboundRestrictions : (Not defined) InboundAuditing : (Not defined) OutboundExceptions :

ÉÍÍÍÍÍÍÍÍÍ͹ Display Local Group Policy settings - local users/machine Type : machine Display Name : Default Domain Policy Name : {31B2F340-016D-11D2-945F-00C04FB984F9} Extensions : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}] File Sys Path : C:\Windows\system32\GroupPolicy\DataStore\0\sysvol\oscp.exam\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine Link : LDAP://DC=oscp,DC=exam GPO Link : Domain Options : All Sections Enabled

 =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Potential GPO abuse vectors (applied domain GPOs writable by current user)  [-] Controlled exception, info about OSCP\r.andrews not found No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.

ÉÍÍÍÍÍÍÍÍÍ͹ Checking AppLocker effective policy AppLockerPolicy version: 1 listing rules:

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Printers (WMI)

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes Name CurrentUserPerms Sddl

eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)

vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating AMSI registered providers Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE} Path:

 =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon configuration You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon process creation logs (1) You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Installed .NET versions 

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials  You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Printing Account Logon Events (4624) for the last 10 days.  You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Process creation events - searching logs (EID 4688) for sensitive data.  You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.   [X] Exception: Attempted to perform an unauthorized operation.

ÉÍÍÍÍÍÍÍÍÍ͹ Displaying Power off/on events for last 5 days  System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode) at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags) at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark) at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName) at hq.a.b() at i4.a()

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Users È Check if you have some admin equivalent privileges https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users—groups  [X] Exception: Object reference not set to an instance of an object. Current user: r.andrews Current groups: Domain Users, Everyone, Builtin\Remote Desktop Users, Builtin\Remote Management Users, Users, Network, Authenticated Users, This Organization, NTLM Authentication  =================================================================================================

 Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Current User Idle Time Current User : OSCP\r.andrews Idle Time : 00h:46m:35s:140ms

ÉÍÍÍÍÍÍÍÍÍ͹ Display Tenant information (DsRegCmd.exe /status) Tenant is NOT Azure AD Joined.

ÉÍÍÍÍÍÍÍÍÍ͹ Current Token privileges È Check if you can escalate privilege using some enabled token https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation  SeShutdownPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeUndockPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeTimeZonePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED

ÉÍÍÍÍÍÍÍÍÍ͹ Clipboard text

ÉÍÍÍÍÍÍÍÍÍ͹ Logged users  [X] Exception: Access denied   Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Display information about local users Computer Name : WS26 User Name : Administrator User Id : 500 Is Enabled : True User Type : Administrator Comment : Built-in account for administering the computer/domain Last Logon : 2/28/2026 8:06:28 AM Logons Count : 27 Password Last Set : 10/9/2024 10:41:39 AM

 =================================================================================================

Computer Name : WS26 User Name : DefaultAccount User Id : 503 Is Enabled : False User Type : Guest Comment : A user account managed by the system. Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/1/1970 12:00:00 AM

 =================================================================================================

Computer Name : WS26 User Name : Guest User Id : 501 Is Enabled : False User Type : Guest Comment : Built-in account for guest access to the computer/domain Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/1/1970 12:00:00 AM

 =================================================================================================

Computer Name : WS26 User Name : WDAGUtilityAccount User Id : 504 Is Enabled : False User Type : Guest Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios. Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 10/9/2024 1:44:21 PM

 =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Ever logged users  [X] Exception: Access denied   Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found  C:\Users\Administrator  C:\Users\All Users  C:\Users\Default  C:\Users\Default User  C:\Users\Public  C:\Users\r.andrews : r.andrews [Allow: AllAccess]

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Password Policies È Check for a possible brute-force   Domain: Builtin  SID: S-1-5-32  MaxPasswordAge: 42.22:47:31.7437440  MinPasswordAge: 00:00:00  MinPasswordLength: 0  PasswordHistoryLength: 0  PasswordProperties: DOMAIN_LOCKOUT_ADMINS  =================================================================================================

 Domain: WS26  SID: S-1-5-21-2756297892-2186407355-380279769  MaxPasswordAge: 42.00:00:00  MinPasswordAge: 1.00:00:00  MinPasswordLength: 7  PasswordHistoryLength: 24  PasswordProperties: DOMAIN_LOCKOUT_ADMINS  =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Print Logon Sessions

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Processes -non Microsoft- È Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes  [X] Exception: Access denied 

ÉÍÍÍÍÍÍÍÍÍ͹ Vulnerable Leaked Handlers È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers È Getting Leaked Handlers, it might take some time…  Handle: 1820(key)  Handle Owner: Pid is 7108(winpeas) with owner: r.andrews  Reason: AllAccess  Registry: HKLM\software\microsoft\windowsruntime  =================================================================================================

 Handle: 1840(key)  Handle Owner: Pid is 7108(winpeas) with owner: r.andrews  Reason: TakeOwnership  Registry: HKLM\software\microsoft\fusion\publisherpolicy\default  =================================================================================================

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ  [X] Exception: Cannot open Service Control Manager on computer ’.‘. This operation might require other privileges.

ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft- È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services  [X] Exception: Access denied  @amdgpio2.inf,%GPIO.SvcDesc%;AMD GPIO Client Driver(Advanced Micro Devices, Inc - @amdgpio2.inf,%GPIO.SvcDesc%;AMD GPIO Client Driver)[C:\Windows\System32\drivers\amdgpio2.sys] - System  =================================================================================================

@amdi2c.inf,%amdi2c.SVCDESC%;AMD I2C Controller Service(Advanced Micro Devices, Inc - @amdi2c.inf,%amdi2c.SVCDESC%;AMD I2C Controller Service)[C:\Windows\System32\drivers\amdi2c.sys] - System

 =================================================================================================

@AppleSSD.inf,%DevDesc1%;Apple Solid State Drive Device(Apple Inc. - @AppleSSD.inf,%DevDesc1%;Apple Solid State Drive Device)[System32\drivers\AppleSSD.sys] - Boot

 =================================================================================================

@arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot

 =================================================================================================

@netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot

 =================================================================================================

@bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service(Windows (R) Win 7 DDK provider - @bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service)[C:\Windows\System32\drivers\bcmfn2.sys] - System

 =================================================================================================

@cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System

 =================================================================================================

@net1ic64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ic64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i68x64.sys] - System

 =================================================================================================

@netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(Marvell Semiconductor Inc. - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot

 =================================================================================================

@netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD(QLogic Corporation - @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD)[System32\drivers\evbd0a.sys] - Boot

 =================================================================================================

@iagpio.inf,%iagpio.SVCDESC%;Intel Serial IO GPIO Controller Driver(Intel(R) Corporation - @iagpio.inf,%iagpio.SVCDESC%;Intel Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iagpio.sys] - System

 =================================================================================================

@iai2c.inf,%iai2c.SVCDESC%;Intel(R) Serial IO I2C Host Controller(Intel(R) Corporation - @iai2c.inf,%iai2c.SVCDESC%;Intel(R) Serial IO I2C Host Controller)[C:\Windows\System32\drivers\iai2c.sys] - System

 =================================================================================================

@iaLPSS2i_GPIO2_SKL.inf,%iaLPSS2i_GPIO2.SVCDESC%;Intel(R) Serial IO GPIO Driver v2(Intel Corporation - @iaLPSS2i_GPIO2_SKL.inf,%iaLPSS2i_GPIO2.SVCDESC%;Intel(R) Serial IO GPIO Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys] - System

 =================================================================================================

@iaLPSS2i_GPIO2_BXT_P.inf,%iaLPSS2i_GPIO2_BXT_P.SVCDESC%;Intel(R) Serial IO GPIO Driver v2(Intel Corporation - @iaLPSS2i_GPIO2_BXT_P.inf,%iaLPSS2i_GPIO2_BXT_P.SVCDESC%;Intel(R) Serial IO GPIO Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys] - System

 =================================================================================================

@iaLPSS2i_GPIO2_CNL.inf,%iaLPSS2i_GPIO2_CNL.SVCDESC%;Intel(R) Serial IO GPIO Driver v2(Intel Corporation - @iaLPSS2i_GPIO2_CNL.inf,%iaLPSS2i_GPIO2_CNL.SVCDESC%;Intel(R) Serial IO GPIO Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys] - System

 =================================================================================================

@iaLPSS2i_GPIO2_GLK.inf,%iaLPSS2i_GPIO2_GLK.SVCDESC%;Intel(R) Serial IO GPIO Driver v2(Intel Corporation - @iaLPSS2i_GPIO2_GLK.inf,%iaLPSS2i_GPIO2_GLK.SVCDESC%;Intel(R) Serial IO GPIO Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys] - System

 =================================================================================================

@iaLPSS2i_I2C_SKL.inf,%iaLPSS2i_I2C.SVCDESC%;Intel(R) Serial IO I2C Driver v2(Intel Corporation - @iaLPSS2i_I2C_SKL.inf,%iaLPSS2i_I2C.SVCDESC%;Intel(R) Serial IO I2C Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_I2C.sys] - System

 =================================================================================================

@iaLPSS2i_I2C_BXT_P.inf,%iaLPSS2i_I2C_BXT_P.SVCDESC%;Intel(R) Serial IO I2C Driver v2(Intel Corporation - @iaLPSS2i_I2C_BXT_P.inf,%iaLPSS2i_I2C_BXT_P.SVCDESC%;Intel(R) Serial IO I2C Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys] - System

 =================================================================================================

@iaLPSS2i_I2C_CNL.inf,%iaLPSS2i_I2C_CNL.SVCDESC%;Intel(R) Serial IO I2C Driver v2(Intel Corporation - @iaLPSS2i_I2C_CNL.inf,%iaLPSS2i_I2C_CNL.SVCDESC%;Intel(R) Serial IO I2C Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys] - System

 =================================================================================================

@iaLPSS2i_I2C_GLK.inf,%iaLPSS2i_I2C_GLK.SVCDESC%;Intel(R) Serial IO I2C Driver v2(Intel Corporation - @iaLPSS2i_I2C_GLK.inf,%iaLPSS2i_I2C_GLK.SVCDESC%;Intel(R) Serial IO I2C Driver v2)[C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys] - System

 =================================================================================================

@ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver(Intel Corporation - @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_GPIO.sys] - System

 =================================================================================================

@ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver(Intel Corporation - @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_I2C.sys] - System

 =================================================================================================

@iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot

 =================================================================================================

@iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot

 =================================================================================================

@mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System

 =================================================================================================

@mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System

 =================================================================================================

@mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System

 =================================================================================================

NDKPerf Driver(NDKPerf Driver)[system32\drivers\NDKPerf.sys] - System

 =================================================================================================

@pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver(VMware, Inc. - @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver)[System32\drivers\pvscsii.sys] - Boot

 =================================================================================================

@routepolicy.inf,%RoutePolicy.SvcDesc%;Microsoft Route Policy Service(@routepolicy.inf,%RoutePolicy.SvcDesc%;Microsoft Route Policy Service)[C:\Windows\System32\drivers\RoutePolicy.sys] - System

 =================================================================================================

OpenSSH Authentication Agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Manual
Agent to hold private keys used for public key authentication.

 =================================================================================================

@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System

 =================================================================================================

@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System

 =================================================================================================

VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload
Alias Manager and Ticket Service

 =================================================================================================

@oem7.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service(VMware, Inc. - @oem7.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Autoload
@oem7.inf,%VM3DSERVICE_DESCRIPTION%;Helps VMware SVGA driver by collecting and conveying user mode information

 =================================================================================================

@oem1.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(VMware, Inc. - @oem1.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot

 =================================================================================================

VMware Host Guest Client Redirector(VMware, Inc. - VMware Host Guest Client Redirector)[system32\DRIVERS\vmhgfs.sys] - System
Implements the VMware HGFS protocol. This protocol provides connectivity to host files provided by the HGFS server.

 =================================================================================================

Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload
Driver to provide enhanced memory management of this virtual machine.

 =================================================================================================

@oem6.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem6.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System

 =================================================================================================

VMware Physical Disk Helper(VMware, Inc. - VMware Physical Disk Helper)[C:\Windows\system32\DRIVERS\vmrawdsk.sys] - System
VMware Physical Disk Helper

 =================================================================================================

VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload
Provides support for synchronizing objects between the host and guest operating systems.

 =================================================================================================

@oem8.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver(Broadcom Inc. - @oem8.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver)[C:\Windows\System32\drivers\vmxnet3.sys] - System

 =================================================================================================

vnetWFP(VMware, Inc. - vnetWFP)[C:\Windows\system32\DRIVERS\vnetWFP.sys] - System
Guest Introspection Network Filter Driver

 =================================================================================================

vsepflt(VMware, Inc. - vsepflt)[system32\DRIVERS\vsepflt.sys] - Boot
Guest Introspection Driver

 =================================================================================================

vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[system32\DRIVERS\vsock.sys] - Boot
vSockets Driver

 =================================================================================================

@vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot

 =================================================================================================

@mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System

 =================================================================================================

@winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System
@winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices

 =================================================================================================

@mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System

 =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Modifiable Services È Check if you can modify any service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services  You cannot modify any service

ÉÍÍÍÍÍÍÍÍÍ͹ Looking if you can modify any service registry È Check if you can modify the registry of a service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions  [-] Looks like you cannot change the registry of any service…

ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking) È Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking  C:\Windows\system32  C:\Windows  C:\Windows\System32\Wbem  C:\Windows\System32\WindowsPowerShell\v1.0\  C:\Windows\System32\OpenSSH\

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Current Active Window Application  [X] Exception: Object reference not set to an instance of an object.

ÉÍÍÍÍÍÍÍÍÍ͹ Installed Applications —Via Program Files/Uninstall registry— È Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications  C:\Program Files\Common Files  C:\Program Files\desktop.ini  C:\Program Files\Internet Explorer  C:\Program Files\Microsoft  C:\Program Files\Microsoft Update Health Tools  C:\Program Files\ModifiableWindowsApps  C:\Program Files\Uninstall Information  C:\Program Files\VMware  C:\Program Files\Windows Defender  C:\Program Files\Windows Defender Advanced Threat Protection  C:\Program Files\Windows Mail  C:\Program Files\Windows Media Player  C:\Program Files\Windows NT  C:\Program Files\Windows Photo Viewer  C:\Program Files\Windows Sidebar  C:\Program Files\WindowsApps  C:\Program Files\WindowsPowerShell  C:\Windows\System32

ÉÍÍÍÍÍÍÍÍÍ͹ Autorun Applications È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html Error getting autoruns from WMIC: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at h9.b()

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) - C:\

 =================================================================================================

RegPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RegPerms: r.andrews [Allow: FullControl]
Key: OneDriveSetup
Folder: C:\Windows\System32
File: C:\Windows\System32\OneDriveSetup.exe /thfirstsetup

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Userinit
Folder: C:\Windows\system32
File: C:\Windows\system32\userinit.exe,

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Shell
Folder: None (PATH Injection)
File: explorer.exe

 =================================================================================================

RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Key: AlternateShell
Folder: None (PATH Injection)
File: cmd.exe

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll

 =================================================================================================

RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: aux
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midi
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midimapper
Folder: None (PATH Injection)
File: midimap.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: mixer
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.imaadpcm
Folder: None (PATH Injection)
File: imaadp32.acm

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msadpcm
Folder: None (PATH Injection)
File: msadp32.acm

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msg711
Folder: None (PATH Injection)
File: msg711.acm

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msgsm610
Folder: None (PATH Injection)
File: msgsm32.acm

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.i420
Folder: None (PATH Injection)
File: iyuv_32.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.iyuv
Folder: None (PATH Injection)
File: iyuv_32.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.mrle
Folder: None (PATH Injection)
File: msrle32.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.msvc
Folder: None (PATH Injection)
File: msvidc32.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.uyvy
Folder: None (PATH Injection)
File: msyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yuy2
Folder: None (PATH Injection)
File: msyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvu9
Folder: None (PATH Injection)
File: tsbyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvyu
Folder: None (PATH Injection)
File: msyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wave
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wavemapper
Folder: None (PATH Injection)
File: msacm32.drv

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.l3acm
Folder: C:\Windows\System32
File: C:\Windows\System32\l3codeca.acm

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: aux
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midi
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midimapper
Folder: None (PATH Injection)
File: midimap.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: mixer
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.imaadpcm
Folder: None (PATH Injection)
File: imaadp32.acm

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msadpcm
Folder: None (PATH Injection)
File: msadp32.acm

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msg711
Folder: None (PATH Injection)
File: msg711.acm

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msgsm610
Folder: None (PATH Injection)
File: msgsm32.acm

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.cvid
Folder: None (PATH Injection)
File: iccvid.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.i420
Folder: None (PATH Injection)
File: iyuv_32.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.iyuv
Folder: None (PATH Injection)
File: iyuv_32.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.mrle
Folder: None (PATH Injection)
File: msrle32.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.msvc
Folder: None (PATH Injection)
File: msvidc32.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.uyvy
Folder: None (PATH Injection)
File: msyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yuy2
Folder: None (PATH Injection)
File: msyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvu9
Folder: None (PATH Injection)
File: tsbyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvyu
Folder: None (PATH Injection)
File: msyuv.dll

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wave
Folder: None (PATH Injection)
File: wdmaud.drv

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wavemapper
Folder: None (PATH Injection)
File: msacm32.drv

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.l3acm
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\l3codeca.acm

 =================================================================================================

RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
Folder: C:\Program Files\Internet Explorer
File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected) - C:\

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: *kernel32
Folder: None (PATH Injection)
File: kernel32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wow64cpu
Folder: None (PATH Injection)
File: wow64cpu.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wowarmhw
Folder: None (PATH Injection)
File: wowarmhw.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _xtajit
Folder: None (PATH Injection)
File: xtajit.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: advapi32
Folder: None (PATH Injection)
File: advapi32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: clbcatq
Folder: None (PATH Injection)
File: clbcatq.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: combase
Folder: None (PATH Injection)
File: combase.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: COMDLG32
Folder: None (PATH Injection)
File: COMDLG32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: coml2
Folder: None (PATH Injection)
File: coml2.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: DifxApi
Folder: None (PATH Injection)
File: difxapi.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdi32
Folder: None (PATH Injection)
File: gdi32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdiplus
Folder: None (PATH Injection)
File: gdiplus.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMAGEHLP
Folder: None (PATH Injection)
File: IMAGEHLP.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMM32
Folder: None (PATH Injection)
File: IMM32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSCTF
Folder: None (PATH Injection)
File: MSCTF.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSVCRT
Folder: None (PATH Injection)
File: MSVCRT.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NORMALIZ
Folder: None (PATH Injection)
File: NORMALIZ.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NSI
Folder: None (PATH Injection)
File: NSI.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: ole32
Folder: None (PATH Injection)
File: ole32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: OLEAUT32
Folder: None (PATH Injection)
File: OLEAUT32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: PSAPI
Folder: None (PATH Injection)
File: PSAPI.DLL

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: rpcrt4
Folder: None (PATH Injection)
File: rpcrt4.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: sechost
Folder: None (PATH Injection)
File: sechost.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: Setupapi
Folder: None (PATH Injection)
File: Setupapi.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHCORE
Folder: None (PATH Injection)
File: SHCORE.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHELL32
Folder: None (PATH Injection)
File: SHELL32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHLWAPI
Folder: None (PATH Injection)
File: SHLWAPI.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: user32
Folder: None (PATH Injection)
File: user32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WLDAP32
Folder: None (PATH Injection)
File: WLDAP32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64
Folder: None (PATH Injection)
File: wow64.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64base
Folder: None (PATH Injection)
File: wow64base.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64con
Folder: None (PATH Injection)
File: wow64con.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64win
Folder: None (PATH Injection)
File: wow64win.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WS2_32
Folder: None (PATH Injection)
File: WS2_32.dll

 =================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: xtajit64
Folder: None (PATH Injection)
File: xtajit64.dll

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Key: StubPath
Folder: \
FolderPerms: Authenticated Users [Allow: AppendData/CreateDirectories]
File: /UserInstall

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Key: StubPath
Folder: C:\Windows\system32
File: C:\Windows\system32\unregmp2.exe /FirstLogon

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Key: StubPath
Folder: None (PATH Injection)
File: U

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\ie4uinit.exe -UserConfig

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
Key: StubPath
Folder: C:\Program Files (x86)\Microsoft\Edge\Application\100.0.1185.36\Installer
File: C:\Program Files (x86)\Microsoft\Edge\Application\100.0.1185.36\Installer\setup.exe --configure-user-settings --verbose-logging --system-level --msedge (Unquoted and Space detected) - C:\

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Key: StubPath
Folder: C:\Windows\system32
File: C:\Windows\system32\unregmp2.exe /FirstLogon

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install

 =================================================================================================

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
Folder: C:\Program Files (x86)\Microsoft\Edge\Application\100.0.1185.36\BHO
File: C:\Program Files (x86)\Microsoft\Edge\Application\100.0.1185.36\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected) - C:\

 =================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
Folder: C:\Program Files (x86)\Microsoft\Edge\Application\100.0.1185.36\BHO
File: C:\Program Files (x86)\Microsoft\Edge\Application\100.0.1185.36\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected) - C:\

 =================================================================================================

Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

 =================================================================================================

Folder: C:\windows\tasks
FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]

 =================================================================================================

Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]

 =================================================================================================

Folder: C:\windows
File: C:\windows\system.ini

 =================================================================================================

Folder: C:\windows
File: C:\windows\win.ini

 =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications —Non Microsoft— È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html

ÉÍÍÍÍÍÍÍÍÍ͹ Device Drivers —Non Microsoft— È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\evbd0a.sys QLogic 10 GigE - 7.13.171.102 [Marvell Semiconductor Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys VMware vSockets Service - 9.8.19.0 build-18956547 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys VMware PCI VMCI Bus Device - 9.8.18.0 build-18956547 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys Boot Camp - 6.1.0.0 [Apple Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\AppleSSD.sys LSI 3ware RAID Controller - WindowsBlue [LSI]: \.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys MEGASAS2i RAID Controller Driver for Windows - 6.714.22.00 [Avago Technologies]: \.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys MEGASAS RAID Controller Driver for Windows - 7.717.02.00 [Broadcom Inc]: \.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Broadcom Limited]: \.\GLOBALROOT\SystemRoot\System32\drivers\mpi3drvi.sys Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys VMware PVSCSI StorPort driver (64-bit) - 1.3.15.0 build-18052479 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\pvscsii.sys Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1015 [Intel Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys SmartRAID, SmartHBA PQI Storport Driver - 1.50.1.0 [Microsemi Corportation]: \.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys VMware Guest Introspection Driver - 12.1.0.0 build-19947491 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsepflt.sys VMware Raw Disk Helper Driver - 1.1.7.0 build-18933738 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmrawdsk.sys VMware Guest Introspection WFP Network Filter Driver - 12.1.0.0 build-19947491 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vnetWFP.sys VMware Pointing PS/2 Device Driver - 12.5.12.0 build-18967789 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys VMware SVGA 3D - 9.17.04.0001 - build-20112898 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys VMware SVGA 3D - 9.17.04.0001 - build-20112898 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys VMware server memory controller - 7.5.7.0 build-18933738 [VMware, Inc.]: \.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys VMware PCIe Ethernet Adapter NDIS 6.85 (64-bit) - 1.9.19.0 build-24153797 [Broadcom Inc.]: \.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys Intel(R) Gigabit Adapter - 12.19.1.32 [Intel Corporation]: \.\GLOBALROOT\SystemRoot\System32\drivers\e1i68x64.sys

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Network Shares  [X] Exception: Access denied 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate Network Mapped Drives (WMI)

ÉÍÍÍÍÍÍÍÍÍ͹ Host File

ÉÍÍÍÍÍÍÍÍÍ͹ Network Ifaces and known hosts È The masks are only for the IPv4 addresses  Ethernet0[00:50:56:8A:FF:9E]: 192.168.107.206 / 255.255.255.0 Gateways: 192.168.107.254 Known hosts: 192.168.107.111 00-50-56-8A-69-BF Dynamic 192.168.107.254 00-50-56-8A-C5-9B Dynamic 192.168.107.255 FF-FF-FF-FF-FF-FF Static 224.0.0.22 01-00-5E-00-00-16 Static 224.0.0.251 01-00-5E-00-00-FB Static 239.255.255.250 01-00-5E-7F-FF-FA Static

Ethernet1[00:50:56:8A:9D:FF]: 172.16.107.206 / 255.255.255.0
    DNSs: 172.16.107.200
    Known hosts:
      172.16.107.200        00-50-56-8A-59-3E     Dynamic
      172.16.107.255        FF-FF-FF-FF-FF-FF     Static
      224.0.0.22            01-00-5E-00-00-16     Static
      224.0.0.251           01-00-5E-00-00-FB     Static
      224.0.0.252           01-00-5E-00-00-FC     Static
      239.255.255.250       01-00-5E-7F-FF-FA     Static

Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
    DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
    Known hosts:
      224.0.0.22            00-00-00-00-00-00     Static
      239.255.255.250       00-00-00-00-00-00     Static

ÉÍÍÍÍÍÍÍÍÍ͹ Current TCP Listening Ports È Check for services restricted from the outside   Enumerating IPv4 connections  Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name

TCP 0.0.0.0 135 0.0.0.0 0 Listening 1004 svchost TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 3389 0.0.0.0 0 Listening 1060 svchost TCP 0.0.0.0 5040 0.0.0.0 0 Listening 5560 svchost TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 49664 0.0.0.0 0 Listening 748 lsass TCP 0.0.0.0 49665 0.0.0.0 0 Listening 608 wininit TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1448 svchost TCP 0.0.0.0 49667 0.0.0.0 0 Listening 2032 svchost TCP 0.0.0.0 49668 0.0.0.0 0 Listening 2276 svchost TCP 0.0.0.0 49669 0.0.0.0 0 Listening 748 lsass TCP 0.0.0.0 49670 0.0.0.0 0 Listening 716 services TCP 172.16.107.206 139 0.0.0.0 0 Listening 4 System   Enumerating IPv6 connections  Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name

TCP [::] 135 [::] 0 Listening 1004 svchost TCP [::] 445 [::] 0 Listening 4 System TCP [::] 3389 [::] 0 Listening 1060 svchost TCP [::] 5985 [::] 0 Listening 4 System TCP [::] 47001 [::] 0 Listening 4 System TCP [::] 49664 [::] 0 Listening 748 lsass TCP [::] 49665 [::] 0 Listening 608 wininit TCP [::] 49666 [::] 0 Listening 1448 svchost TCP [::] 49667 [::] 0 Listening 2032 svchost TCP [::] 49668 [::] 0 Listening 2276 svchost TCP [::] 49669 [::] 0 Listening 748 lsass TCP [::] 49670 [::] 0 Listening 716 services

ÉÍÍÍÍÍÍÍÍÍ͹ Current UDP Listening Ports È Check for services restricted from the outside   Enumerating IPv4 connections  Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name

UDP 0.0.0.0 123 : 1324 svchost UDP 0.0.0.0 500 : 3100 svchost UDP 0.0.0.0 3389 : 1060 svchost UDP 0.0.0.0 4500 : 3100 svchost UDP 0.0.0.0 5050 : 5560 svchost UDP 0.0.0.0 5353 : 1816 svchost UDP 0.0.0.0 5355 : 1816 svchost UDP 127.0.0.1 1900 : 3204 svchost UDP 127.0.0.1 51461 : 3204 svchost UDP 127.0.0.1 52780 : 748 lsass UDP 127.0.0.1 61144 : 1600 svchost UDP 127.0.0.1 61692 : 7108 C:\Users\r.andrews\Documents\winpeas.exe UDP 127.0.0.1 62196 : 2940 svchost UDP 172.16.107.206 137 : 4 System UDP 172.16.107.206 138 : 4 System UDP 172.16.107.206 1900 : 3204 svchost UDP 172.16.107.206 51460 : 3204 svchost UDP 192.168.107.206 137 : 4 System UDP 192.168.107.206 138 : 4 System UDP 192.168.107.206 1900 : 3204 svchost UDP 192.168.107.206 51459 : 3204 svchost   Enumerating IPv6 connections  Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name

UDP [::] 123 : 1324 svchost UDP [::] 500 : 3100 svchost UDP [::] 3389 : 1060 svchost UDP [::] 4500 : 3100 svchost UDP [::1] 1900 : 3204 svchost UDP [::1] 51458 : 3204 svchost

ÉÍÍÍÍÍÍÍÍÍ͹ Firewall Rules È Showing only DENY rules (too many ALLOW rules always)  Current Profiles: DOMAIN, PUBLIC FirewallEnabled (Domain): True FirewallEnabled (Private): True FirewallEnabled (Public): True  DENY rules:  [X] Exception: Object reference not set to an instance of an object.

ÉÍÍÍÍÍÍÍÍÍ͹ DNS cached —limit 70—  Entry Name Data  [X] Exception: Access denied 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Internet settings, zone and proxy configuration  General Settings Hive Key Value HKCU CertificateRevocation 1 HKCU DisableCachingOfSSLPages 0 HKCU IE5_UA_Backup_Flag 5.0 HKCU PrivacyAdvanced 1 HKCU SecureProtocols 10240 HKCU User Agent Mozilla/5.0 (compatible; MSIE 9.0; Win32) HKLM ActiveXCache C:\Windows\Downloaded Program Files HKLM CodeBaseSearchPath CODEBASE HKLM EnablePunycode 1 HKLM MinorVersion 0 HKLM WarnOnIntranet 1  Zone Maps No URLs configured  Zone Auth Settings No Zone Auth Settings

ÉÍÍÍÍÍÍÍÍÍ͹ Internet Connectivity È Checking if internet access is possible via different methods  HTTP (80) Access: Not Accessible  [X] Exception: Error: A task was canceled. HTTPS (443) Access: Not Accessible  [X] Exception: Error: TCP connect timed out HTTPS (443) Access by Domain Name: Not Accessible  [X] Exception: Error: A task was canceled. DNS (53) Access: Not Accessible  [X] Exception: Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ICMP (ping) Access: Not Accessible  [X] Exception: Error: Ping failed: TimedOut

ÉÍÍÍÍÍÍÍÍÍ͹ Hostname Resolution È Checking if the hostname can be resolved externally   [X] Exception: Error during hostname check: An error occurred while sending the request.

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Active Directory Quick Checks ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ gMSA readable managed passwords È Look for Group Managed Service Accounts you can read (msDS-ManagedPassword) https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html  [X] Exception: An operations error occurred. 

ÉÍÍÍÍÍÍÍÍÍ͹ AD CS misconfigurations for ESC È  https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html È Check for ADCS misconfigurations in the local DC registry  [-] Host is not a domain controller. Skipping ADCS Registry check È  If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4  [X] Exception: An operations error occurred. 

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Cloud Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Learn and practice cloud hacking in training.hacktricks.xyz AWS EC2? No
Azure VM? No
Azure Tokens? No
Google Cloud Platform? No
Google Workspace Joined? No
Google Cloud Directory Sync? No
Google Password Sync? No

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Checking Windows Vault È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager—windows-vault [ERROR] Unable to enumerate vaults. Error (0x-2146892987)  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking Credential manager È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager—windows-vault [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string

[!] Unable to enumerate credentials automatically, error: ‘Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated’ Please run: cmdkey /list

ÉÍÍÍÍÍÍÍÍÍ͹ Saved RDP connections  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Remote Desktop Server/Client Settings  RDP Server Settings Network Level Authentication :
Block Clipboard Redirection :
Block COM Port Redirection :
Block Drive Redirection :
Block LPT Port Redirection :
Block PnP Device Redirection :
Block Printer Redirection :
Allow Smart Card Redirection :
 RDP Client Settings Disable Password Saving : True Restricted Remote Administration : False

ÉÍÍÍÍÍÍÍÍÍ͹ Recently run commands  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Master Keys È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Credential Files È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking for RDCMan Settings Files È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Kerberos tickets È  https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html  serverName: ws26$  RealmName:   StartTime: 2/28/2026 8:29:41 AM  EndTime: 2/28/2026 8:44:41 AM  RenewTime: 3/7/2026 8:06:38 AM  EncryptionType: aes256_cts_hmac_sha1_96  TicketFlags: name_canonicalize, pre_authent, renewable, forwardable  =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for saved Wifi credentials  [X] Exception: The service has not been started Enumerating WLAN using wlanapi.dll failed, trying to enumerate using ‘netsh’ No saved Wifi credentials found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking AppCmd.exe È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe  Not Found You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Looking SSClient.exe È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient—sccm  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating SSCM - System Center Configuration Manager settings

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Security Packages Credentials  [X] Exception: Couldn’t parse nt_resp. Len: 0 Message bytes: 4e544c4d5353500003000000010001006000000000000000610000000000000058000000000000005800000008000800580000000000000061000000058a80a20a005d580000000fe613729a2eb09a10c8b9975c6cfe7d7d570053003200360000

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Firefox  Info: if no credentials were listed, you might need to close the browser and try again.

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Firefox DBs È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Firefox history È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Chrome  Info: if no credentials were listed, you might need to close the browser and try again.

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Chrome DBs È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Chrome history È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Chrome bookmarks  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Opera  Info: if no credentials were listed, you might need to close the browser and try again.

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Brave Browser  Info: if no credentials were listed, you might need to close the browser and try again.

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Internet Explorer (unsupported)  Info: if no credentials were listed, you might need to close the browser and try again.

ÉÍÍÍÍÍÍÍÍÍ͹ Current IE tabs È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history  [X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. -⇒ System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password.

--- End of inner exception stack trace --- at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at fm.l()  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in IE history È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history

ÉÍÍÍÍÍÍÍÍÍ͹ IE history — limit 50  http://go.microsoft.com/fwlink/p/?LinkId=255141

ÉÍÍÍÍÍÍÍÍÍ͹ IE favorites  Not Found

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Putty Sessions  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Putty SSH Host keys  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ SSH keys in registry È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ SuperPutty configuration files

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Office 365 endpoints synced by OneDrive.  SID: S-1-5-19  =================================================================================================

SID: S-1-5-20

 =================================================================================================

SID: S-1-5-21-2481101513-2954867870-2660283483-1106

 =================================================================================================

SID: S-1-5-18

 =================================================================================================

ÉÍÍÍÍÍÍÍÍÍ͹ Cloud Credentials È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Unattend Files  C:\Windows\Panther\Unattend.xml SENSITIVEDATADELETED Admin true 1 SENSITIVEDATADELETED

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for common SAM & SYSTEM backups

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for McAfee Sitelist.xml Files

ÉÍÍÍÍÍÍÍÍÍ͹ Cached GPP Passwords

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible regs with creds È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry  Not Found  Not Found  Not Found  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible password files in users homes È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml

ÉÍÍÍÍÍÍÍÍÍ͹ Searching for Oracle SQL Developer config files 

ÉÍÍÍÍÍÍÍÍÍ͹ Slack files & directories  note: check manually if something is found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for LOL Binaries and Scripts (can be slow) È  https://lolbas-project.github.io/  [!] Check skipped, if you want to run it, please specify ‘-lolbas’ argument

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Outlook download files 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating machine and user certificate files 

ÉÍÍÍÍÍÍÍÍÍ͹ Searching known files that can contain creds in home È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for documents —limit 100—  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Office Most Recent Files — limit 50   Last Access Date User Application Document

ÉÍÍÍÍÍÍÍÍÍ͹ Recent files —limit 70—  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials  Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow)   C:\Users\Default  C:\Users\Default User  C:\Users\Default  C:\Users\All Users  C:\Users\All Users

ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow)   [X] Exception: Object reference not set to an instance of an object.

ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow) File Permissions “C:\Users\r.andrews\Documents\winpeas.exe”: r.andrews [Allow: AllAccess]

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Linux shells/distributions - wsl.exe, bash.exe  C:\Windows\System32\wsl.exe   WSL - no installed Linux distributions found.  /---------------------------------------------------------------------------------
| Do you like PEASS? | |---------------------------------------------------------------------------------| | Learn Cloud Hacking : training.hacktricks.xyz  | | Follow on Twitter : @hacktricks_live | | Respect on HTB : SirBroccoli  | |---------------------------------------------------------------------------------| | Thank you! | ---------------------------------------------------------------------------------/