This document discusses privilege escalation on Windows systems. It describes the different user account types and privileges on Windows, including regular users, administrators, and the NT Authority account. It then explains how to perform local privilege escalation by replacing executable files launched during login to gain NT Authority privileges. Specifically, it suggests replacing files like Sticky Keys and Magnify to launch a command prompt with elevated access and add a new administrator account. The document provides steps for booting a live system, mounting the target drive, replacing files, and verifying elevated access. It concludes with recommendations for encrypting drives to protect against these techniques.

1. 1
Windows Local Escalation
Privilege
Escalation

2. Windows Privileges
Accessing the NT Authority account on a
Windows system can be a bit troublesome.
When performing local escalation, the
objective will be to add an Administrator
account.
Regular User
The most basic type of access an account can
have in a given system, the regular user will
usually have access solely to his files and
applications, but to none of the other system
settings or directories.
NT Authority
The most privileged account on the local
system, this account has access to all system
settings and directories, including more low-
level data.
Admin
The “privileged” account of the local system.
The Administrator account will also have
access to all of the regular users’ data, but
will still be restricted from some lower-level
system settings.
2

3. Domain Privileges
Despite the privileges administrators in a
domain have, they do not have privileges over
locally created content.
Delegated Admin
The delegated administrators will typically be
users in charge of controlling and enforcing
certain roles and features and will usually
have limited privileged permissions.
Enterprise Admin
In the case of enterprise administrators,
those users have permissions regarding the
entire ecosystem of the organization.
Domain Admin
Users with administrative domain
permissions are those with the highest
permission in the domain scope.
3

4. Windows Boot Process
MBR
The basic input/output system, also known
as the BIOS, executes the master boot
record, which in turn, executes the boot
bootloader code.
Kernel
The kernel is the first program to load after
the bootloader. It takes part in loading the
operating system and establishing
communication with input and output
devices.
Run Level
The run level operations are those with
deprived permissions. After the system has
been booted and a user logs in, all NT
Authority’s privileges are no longer required.
Winlogon
Winlogon is considered to be the father of all
processes in an operating system. It is also
responsible for limiting privileges when a
user logs in.
Windows Bootloader
The windows bootloader is responsible for
loading the operating system itself and when
interrupted, it can choose where to boot
from or with what configuration.
Run level
Kernel
MBR
bootloader
winlogon
4
1
2
3
4
5

5. 5
The Trick
Digital Signature
A mathematical scheme used for authentication of digital messages or files. The digital signature verifies the identity of the
file creator and the integrity of the data. Without these 2 elements, the file’s credibility cannot be trusted. Unfortunately,
winlogon does not verify a digital signature and might be vulnerable to file substitution.
Below are some common programs that can be launched with winlogon without verification:
PROGRAM PURPOSE LOCATION
Sticky Keys It helps disabled users make the ctrl, windows and alt keys
”stick,” so they can be pressed one key at a time, instead of
needing to press all of them simultaneously .
Windows/system32/sethc.exe
Magnify It helps disabled users view different sections of the screen in
a magnified window.
Windows/system32/magnify.exe
Ease of Access A utility that enables multiple disability-friendly features to
help disabled users with computer usage.
Windows/system32/utilman.exe

6. Logon Options
When at the logon window, Windows
allows several execution programs:
• Sticky Keys – by pressing the ‘shift’
key 5 times
• Magnify – by pressing the ‘winkey++’
• Ease of Access – by clicking on the
disability icon on the lower left
Because these programs execute before
privileges are limited, they run as NT
Authority.
6

7. Live System
Unlike the local escalations on Linux
systems, in order to preform a successful
privilege escalation on a Windows
system, we will need any live OS:
• Linux
• Windows Rescue CD
• Hiren’s Boot CD
When operating through a live system,
all computer resources are available,
but the data of the live OS is not saved
to the original OS.
7

8. 8
Choosing Tools
Live OS
Live OS comes in many variations and most technicians and Pen Testers carry one in hand. For the sake of local PE on a
Windows machine, the OS is not of importance as long as it can mount the hard drive. Usually, the choice will be a Linux OS
or Hiren’s boot CD because a Windows rescue CD will work only for that specific version.
Below are the common live OS options and the pros and cons of each:
OS PROS CONS
Linux Distro CD Can be booted on almost all systems Requires some knowledge of using a Linux
operating system
Hiren’s Boot CD Includes many ‘minified’ live OS including
Linux and mini Windows XP
The ‘minified’ systems can restrict some advanced
functionalities
Windows Rescue CD Can help with native Windows errors Might not work on different versions of Windows
other than the one it belongs to

9. Mounting the Drive
After a successful boot to the live
system, the original OS’s hard drive still
needs to be loaded in order to provide
access to the system files.
If the live system is a Windows repair
CD, the drive will be mounted
automatically under the original letter
‘C:’.
The recovery command prompt is
available through the advanced recovery
options.
9

10. WINDOWS
The command prompt is launched at ‘X:’ which is the
rescue CD. Type C: to change to the system drive.
The OS location can be checked with the command
bcdedit | find "osdevice".
Navigation within folders is done with dir and cd.
Copying and overwriting files is done with copy.
LINUX
On Linux live OS, some manual searching is done with
the lsblk.
When identified, the drive can be mounted manually
with mount [drive] [mount location].
Navigation within folders is done with ls and cd.
Copying and overwriting files is done with cp and mv.
10
Mounting the Drive

11. Replacing the Files
Having mounted the original OS files,
the next step is to change one of the
target programs with the cmd.exe
program.
There are a few more target programs
that can be used in addition to the ones
mentioned. They are located at
‘C:WindowsSystem32’.
It is highly recommended to make a
backup of the original files before
overwriting them.
11

12. Result
After swapping the files and rebooting
the system, when again at the logon
window, now there is a slight difference.
If an attempt to launch the replaced
target program is made, ‘cmd.exe’ will
be launched instead.
Being launched by winlogon, the
command prompt will have escalated
privileges.
12

13. Adding a User
When within a command prompt, the
following commands are used to create
a user with administrative privileges for
further use:
• net user [username] [password] /add
– creates a user with the given name
and password
• net localgroup administrators
[username] /add – adds the user to
the administrators group
If all steps are executed correctly, a new
privileged user will be present on the
system.
13

14. Means of Protection
Encryption can be achieved with either
external tools like ‘Veracrypt’ or internal
systems like ‘BitLocker’.
BIOS Password
Setting a Bios password may protect the
computer from having its boot order
changed. Unfortunately, if the CMOS battery
is taken out, the password is canceled.
Restrict Access
More of a precautionary step than a security
method: never leave a computer unattended
or in an easily accessible area. In most cases,
this is not an enforceable option.
Encrypt Drive
Encrypting the hard drive is likely the better
option because it will prevent the ability to
read or write to the drive from an external
live OS.
14