# Checklist - Local Windows Privilege Escalation
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
**Try Hard Security Group**
{% embed url="" %}
***
### **查找Windows本地权限提升向量的最佳工具:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
### [系统信息](/windows-hardening/windows-local-privilege-escalation.md#system-info)
* [ ] 获取[**系统信息**](/windows-hardening/windows-local-privilege-escalation.md#system-info)
* [ ] 使用脚本搜索**内核**[**漏洞**](/windows-hardening/windows-local-privilege-escalation.md#version-exploits)
* [ ] 使用**Google搜索**内核**漏洞**
* [ ] 使用**searchsploit搜索**内核**漏洞**
* [ ] [**环境变量**](/windows-hardening/windows-local-privilege-escalation.md#environment)中有趣的信息?
* [ ] [**PowerShell历史记录**](/windows-hardening/windows-local-privilege-escalation.md#powershell-history)中的密码?
* [ ] [**Internet设置**](/windows-hardening/windows-local-privilege-escalation.md#internet-settings)中有趣的信息?
* [ ] [**驱动器**](/windows-hardening/windows-local-privilege-escalation.md#drives)?
* [ ] [**WSUS漏洞**](/windows-hardening/windows-local-privilege-escalation.md#wsus)?
* [ ] [**AlwaysInstallElevated**](/windows-hardening/windows-local-privilege-escalation.md#alwaysinstallelevated)?
### [日志/AV枚举](/windows-hardening/windows-local-privilege-escalation.md#enumeration)
* [ ] 检查[**审计**](/windows-hardening/windows-local-privilege-escalation.md#audit-settings)和[**WEF**](/windows-hardening/windows-local-privilege-escalation.md#wef)设置
* [ ] 检查[**LAPS**](/windows-hardening/windows-local-privilege-escalation.md#laps)
* [ ] 检查是否激活了[**WDigest**](/windows-hardening/windows-local-privilege-escalation.md#wdigest)
* [ ] [**LSA保护**](/windows-hardening/windows-local-privilege-escalation.md#lsa-protection)?
* [ ] [**凭据保护**](/windows-hardening/windows-local-privilege-escalation.md#credentials-guard)[?](/windows-hardening/windows-local-privilege-escalation.md#cached-credentials)
* [ ] [**缓存凭据**](/windows-hardening/windows-local-privilege-escalation.md#cached-credentials)?
* [ ] 检查是否有任何[**AV**](https://github.com/carlospolop/hacktricks/blob/cn/windows-hardening/windows-av-bypass/README.md)
* [ ] [**AppLocker策略**](https://github.com/carlospolop/hacktricks/blob/cn/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
* [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/cn/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
* [ ] [**用户权限**](/windows-hardening/windows-local-privilege-escalation.md#users-and-groups)
* [ ] 检查[**当前**用户**权限**](/windows-hardening/windows-local-privilege-escalation.md#users-and-groups)
* [ ] 您是否是任何特权组的[**成员**](/windows-hardening/windows-local-privilege-escalation.md#privileged-groups)?
* [ ] 检查是否启用了以下任何令牌]\(windows-local-privilege-escalation/#token-manipulation):**SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] [**用户会话**](/windows-hardening/windows-local-privilege-escalation.md#logged-users-sessions)?
* [ ] 检查[**用户主目录**](/windows-hardening/windows-local-privilege-escalation.md#home-folders)(访问?)
* [ ] 检查[**密码策略**](/windows-hardening/windows-local-privilege-escalation.md#password-policy)
* [ ] [**剪贴板**](/windows-hardening/windows-local-privilege-escalation.md#get-the-content-of-the-clipboard)中有什么?
### [网络](/windows-hardening/windows-local-privilege-escalation.md#network)
* 检查**当前**[**网络** **信息**](/windows-hardening/windows-local-privilege-escalation.md#network)
* 检查**隐藏的本地服务**是否受限于外部
### [运行进程](/windows-hardening/windows-local-privilege-escalation.md#running-processes)
* 进程二进制文件和文件夹权限[**文件和文件夹权限**](/windows-hardening/windows-local-privilege-escalation.md#file-and-folder-permissions)
* [**内存密码挖掘**](/windows-hardening/windows-local-privilege-escalation.md#memory-password-mining)
* [**不安全的GUI应用程序**](/windows-hardening/windows-local-privilege-escalation.md#insecure-gui-apps)
* 通过`ProcDump.exe`窃取**有趣进程**的凭据?(firefox,chrome等...)
### [服务](/windows-hardening/windows-local-privilege-escalation.md#services)
* [您能否**修改任何服务**?](/windows-hardening/windows-local-privilege-escalation.md#permissions)
* [您能否**修改**任何**服务**执行的**二进制文件**?](/windows-hardening/windows-local-privilege-escalation.md#modify-service-binary-path)
* [您能否**修改**任何**服务**的**注册表**?](/windows-hardening/windows-local-privilege-escalation.md#services-registry-modify-permissions)
* 您能否利用任何**未加引号的服务**二进制**路径**?]\(windows-local-privilege-escalation/#unquoted-service-paths)
### [**应用程序**](/windows-hardening/windows-local-privilege-escalation.md#applications)
* **写入**[**已安装应用程序**](/windows-hardening/windows-local-privilege-escalation.md#write-permissions)的权限
* [**启动应用程序**](/windows-hardening/windows-local-privilege-escalation.md#run-at-startup)
* **易受攻击的**[**驱动程序**](/windows-hardening/windows-local-privilege-escalation.md#drivers)
### [DLL劫持](/windows-hardening/windows-local-privilege-escalation.md#path-dll-hijacking)
* [ ] 你可以**在PATH中的任何文件夹中写入**吗?
* [ ] 是否有任何已知的服务二进制文件**尝试加载任何不存在的DLL**?
* [ ] 你可以**写入**任何**二进制文件夹**吗?
### [网络](/windows-hardening/windows-local-privilege-escalation.md#network)
* [ ] 枚举网络(共享、接口、路由、邻居,...)
* [ ] 特别关注监听在本地主机(127.0.0.1)上的网络服务
### [Windows凭证](/windows-hardening/windows-local-privilege-escalation.md#windows-credentials)
* [ ] [**Winlogon**](/windows-hardening/windows-local-privilege-escalation.md#winlogon-credentials)凭证
* [ ] 你可以使用的[**Windows Vault**](/windows-hardening/windows-local-privilege-escalation.md#credentials-manager-windows-vault)凭证?
* [ ] 有趣的[**DPAPI凭证**](/windows-hardening/windows-local-privilege-escalation.md#dpapi)?
* [ ] 已保存的[**Wifi网络**](/windows-hardening/windows-local-privilege-escalation.md#wifi)密码?
* [ ] 已保存的[**RDP连接**](/windows-hardening/windows-local-privilege-escalation.md#saved-rdp-connections)中的有趣信息?
* [ ] [**最近运行的命令**](/windows-hardening/windows-local-privilege-escalation.md#recently-run-commands)中的密码?
* [ ] [**远程桌面凭证管理器**](/windows-hardening/windows-local-privilege-escalation.md#remote-desktop-credential-manager)密码?
* [ ] [**AppCmd.exe**是否存在](/windows-hardening/windows-local-privilege-escalation.md#appcmd-exe)?凭证?
* [ ] [**SCClient.exe**](/windows-hardening/windows-local-privilege-escalation.md#scclient-sccm)?DLL侧加载?
### [文件和注册表(凭证)](/windows-hardening/windows-local-privilege-escalation.md#files-and-registry-credentials)
* [ ] **Putty:** [**凭证**](/windows-hardening/windows-local-privilege-escalation.md#putty-creds) **和** [**SSH主机密钥**](/windows-hardening/windows-local-privilege-escalation.md#putty-ssh-host-keys)
* [ ] 注册表中的[**SSH密钥**](/windows-hardening/windows-local-privilege-escalation.md#ssh-keys-in-registry)?
* [ ] [**无人值守文件**](/windows-hardening/windows-local-privilege-escalation.md#unattended-files)中的密码?
* [ ] 任何[**SAM和SYSTEM**](/windows-hardening/windows-local-privilege-escalation.md#sam-and-system-backups)备份?
* [ ] [**云凭证**](/windows-hardening/windows-local-privilege-escalation.md#cloud-credentials)?
* [ ] [**McAfee SiteList.xml**](https://hacktricks.xsx.tw/windows-hardening/pages/flWGSMTybKsUJLqsox9H#mcafee-sitelist.xml)文件?
* [ ] [**缓存的GPP密码**](/windows-hardening/windows-local-privilege-escalation.md#cached-gpp-pasword)?
* [ ] [**IIS Web配置文件**](/windows-hardening/windows-local-privilege-escalation.md#iis-web-config)中的密码?
* [ ] [**Web日志**](/windows-hardening/windows-local-privilege-escalation.md#logs)中的有趣信息?
* [ ] 你想要向用户[**请求凭证**](/windows-hardening/windows-local-privilege-escalation.md#ask-for-credentials)吗?
* [ ] 回收站中的[**有凭证的文件**](/windows-hardening/windows-local-privilege-escalation.md#credentials-in-the-recyclebin)?
* [ ] 其他包含凭证的[**注册表**](/windows-hardening/windows-local-privilege-escalation.md#inside-the-registry)?
* [ ] 浏览器数据中(数据库、历史记录、书签,...)的[**通用密码搜索**](/windows-hardening/windows-local-privilege-escalation.md#browsers-history)?
* [ ] 在文件和注册表中进行[**通用密码搜索**](/windows-hardening/windows-local-privilege-escalation.md#generic-password-search-in-files-and-registry)?
* [ ] 自动搜索密码的[**工具**](/windows-hardening/windows-local-privilege-escalation.md#tools-that-search-for-passwords)?
### [泄漏的处理程序](/windows-hardening/windows-local-privilege-escalation.md#leaked-handlers)
* [ ] 你可以访问任何由管理员运行的进程的处理程序吗?
### [管道客户端冒充](/windows-hardening/windows-local-privilege-escalation.md#named-pipe-client-impersonation)
* [ ] 检查是否可以滥用它
**Try Hard Security Group**
{% embed url="" %}
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live) 上**关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://hacktricks.xsx.tw/windows-hardening/checklist-windows-privilege-escalation.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.