# Windows Hardening - [Checklist - Local Windows Privilege Escalation](https://hacktricks.xsx.tw/windows-hardening/checklist-windows-privilege-escalation.md) - [Windows Local Privilege Escalation](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation.md) - [Abusing Tokens](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md) - [Access Tokens](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/access-tokens.md) - [ACLs - DACLs/SACLs/ACEs](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md) - [AppendData/AddSubdirectory permission over service registry](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md) - [Create MSI with WIX](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md) - [COM Hijacking](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/com-hijacking.md) - [Dll Hijacking](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md) - [Writable Sys Path +Dll Hijacking Privesc](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md) - [DPAPI - Extracting Passwords](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md) - [From High Integrity to SYSTEM with Name Pipes](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md) - [Integrity Levels](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/integrity-levels.md) - [JuicyPotato](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/juicypotato.md) - [Leaked Handle Exploitation](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md) - [MSI Wrapper](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md) - [Named Pipe Client Impersonation](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md) - [Privilege Escalation with Autoruns](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md) - [RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md) - [SeDebug + SeImpersonate copy token](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md) - [SeImpersonate from High To System](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md) - [Windows C Payloads](https://hacktricks.xsx.tw/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md) - [Active Directory Methodology](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology.md) - [Abusing Active Directory ACLs/ACEs](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/acl-persistence-abuse.md) - [Shadow Credentials](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md) - [AD Certificates](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-certificates.md) - [AD CS Account Persistence](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md) - [AD CS Domain Escalation](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md) - [AD CS Domain Persistence](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md) - [AD CS Certificate Theft](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md) - [AD information in printers](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-information-in-printers.md) - [AD DNS Records](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/ad-dns-records.md) - [ASREPRoast](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/asreproast.md) - [BloodHound & Other AD Enum Tools](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/bloodhound.md) - [Constrained Delegation](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/constrained-delegation.md) - [Custom SSP](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/custom-ssp.md) - [DCShadow](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/dcshadow.md) - [DCSync](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/dcsync.md) - [Diamond Ticket](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/diamond-ticket.md) - [DSRM Credentials](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/dsrm-credentials.md) - [External Forest Domain - OneWay (Inbound) or bidirectional](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md) - [External Forest Domain - One-Way (Outbound)](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md) - [Golden Ticket](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/golden-ticket.md) - [Kerberoast](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/kerberoast.md) - [Kerberos Authentication](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/kerberos-authentication.md) - [Kerberos Double Hop Problem](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md) - [LAPS](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/laps.md) - [MSSQL AD Abuse](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/abusing-ad-mssql.md) - [Over Pass the Hash/Pass the Key](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md) - [Pass the Ticket](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/pass-the-ticket.md) - [Password Spraying / Brute Force](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/password-spraying.md) - [PrintNightmare](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/printnightmare.md) - [Force NTLM Privileged Authentication](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md) - [Privileged Groups](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md) - [RDP Sessions Abuse](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md) - [Resource-based Constrained Delegation](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md) - [Security Descriptors](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/security-descriptors.md) - [SID-History Injection](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/sid-history-injection.md) - [Silver Ticket](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/silver-ticket.md) - [Skeleton Key](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/skeleton-key.md) - [Unconstrained Delegation](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/unconstrained-delegation.md) - [Windows Security Controls](https://hacktricks.xsx.tw/windows-hardening/authentication-credentials-uac-and-efs.md) - [UAC - User Account Control](https://hacktricks.xsx.tw/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md) - [NTLM](https://hacktricks.xsx.tw/windows-hardening/ntlm.md) - [Places to steal NTLM creds](https://hacktricks.xsx.tw/windows-hardening/ntlm/places-to-steal-ntlm-creds.md) - [Lateral Movement](https://hacktricks.xsx.tw/windows-hardening/lateral-movement.md) - [AtExec / SchtasksExec](https://hacktricks.xsx.tw/windows-hardening/lateral-movement/atexec.md) - [DCOM Exec](https://hacktricks.xsx.tw/windows-hardening/lateral-movement/dcom-exec.md) - [PsExec/Winexec/ScExec](https://hacktricks.xsx.tw/windows-hardening/lateral-movement/psexec-and-winexec.md) - [SmbExec/ScExec](https://hacktricks.xsx.tw/windows-hardening/lateral-movement/smbexec.md) - [WinRM](https://hacktricks.xsx.tw/windows-hardening/lateral-movement/winrm.md) - [WmicExec](https://hacktricks.xsx.tw/windows-hardening/lateral-movement/wmicexec.md) - [Stealing Windows Credentials](https://hacktricks.xsx.tw/windows-hardening/stealing-credentials.md) - [Windows Credentials Protections](https://hacktricks.xsx.tw/windows-hardening/stealing-credentials/credentials-protections.md) - [Mimikatz](https://hacktricks.xsx.tw/windows-hardening/stealing-credentials/credentials-mimikatz.md) - [WTS Impersonator](https://hacktricks.xsx.tw/windows-hardening/stealing-credentials/wts-impersonator.md) - [Basic Win CMD for Pentesters](https://hacktricks.xsx.tw/windows-hardening/basic-cmd-for-pentesters.md) - [Basic PowerShell for Pentesters](https://hacktricks.xsx.tw/windows-hardening/basic-powershell-for-pentesters.md) - [PowerView/SharpView](https://hacktricks.xsx.tw/windows-hardening/basic-powershell-for-pentesters/powerview.md) - [Antivirus (AV) Bypass](https://hacktricks.xsx.tw/windows-hardening/av-bypass.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktricks.xsx.tw/windows-hardening.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.