PrivescCheck: Privilege Escalation Enumeration Script for Windows

PrivescCheck aims to discover Windows problems which can be used for escalating privileges. He also collects various information which may be useful for exploitation and post-exploitation.

The purpose of this tool is to help security researchers identify potential vulnerabilities in Windows machines during pentest testing and Workstation / VDI checks. It is not intended to be used for purely professional use by Red Teamers, although it may provide you with a lot of useful information about the security of your systems.

get help 768x391


Current User

  • Invoke-UserCheck - Gets the username and SID of the current user
  • Invoke-UserGroupsCheck - Enumerates groups the current user belongs to except default and low-privileged ones
  • Invoke-UserPrivilegesCheck - Enumerates the high potential privileges of the current user's token


  • Invoke-InstalledServicesCheck - Enumerates non-default services
  • Invoke-ServicesPermissionsCheck - Enumerates the services the current can modify through the service control manager
  • Invoke-ServicesPermissionsRegistryCheck - Enumerates services that can be modified in the registry
  • Invoke-ServicesImagePermissionsCheck - Enumerates all the services that have a modifiable binary (or argument)
  • Invoke-ServicesUnquotedPathCheck - Enumerates services with an unquoted path that can be exploited

Dll Hijacking

  • Invoke-DllHijackingCheck - Checks whether any of the system path folders is modifiable


  • Invoke-InstalledProgramsCheck - Enumerates the applications that are not installed by default
  • Invoke-ModifiableProgramsCheck - Enumerates applications which have a modifiable EXE of DLL file
  • Invoke-RunningProcessCheck - Enumerates the running processes


  • Invoke-SamBackupFilesCheck - Checks common locations for the SAM / SYSTEM backup files
  • Invoke-UnattendFilesCheck - Enumerates Unattend files and extracts credentials
  • Invoke-WinlogonCheck - Checks credentials stored in the Winlogon registry key
  • Invoke-CredentialFilesCheck - Lists the Credential files that are stored in the current user AppData folders
  • Invoke-CredentialManagerCheck - Enumerates credentials saved in the Credential Manager
  • Invoke-GPPPasswordCheck - Lists Group Policy Preferences (GPP) containing a non-empty "cpassword" field


  • Invoke-UacCheck - Checks whether UAC (User Access Control) is enabled
  • Invoke-LapsCheck - Checks whether LAPS (Local Admin Password Solution) is enabled
  • Invoke-PowershellTranscriptionCheck - Checks whether PowerShell Transcription is configured / enabled
  • Invoke-RegistryAlwaysInstallElevatedCheck - Checks whether the AlwaysInstallElevated key is set in the registry
  • Invoke-LsaProtectionsCheck - Checks whether LSASS is running as a Protected Process (+ additional checks)


  • Invoke-TcpEndpointsCheck - Enumerates unusual TCP endpoints on the local machine (IPv4 and IPv6)
  • Invoke-UdpEndpointsCheck - Enumerates unusual UDP endpoints on the local machine (IPv4 and IPv6)


  • Invoke-WindowsUpdateCheck - Checks the last update time of the machine
  • Invoke-SystemInfoCheck - Gets the name of the operating system and the full version string
  • Invoke-LocalAdminGroupCheck - Enumerates the members of the default local admin group
  • Invoke-MachineRoleCheck - Gets the role of the machine (workstation, server, domain controller)
  • Invoke-SystemStartupHistoryCheck - Gets a list of system startup events
  • Invoke-SystemStartupCheck - Gets the last system startup time
  • Invoke-SystemDrivesCheck - Gets a list of local drives and network shares that are currently mapped


1. Basic use

From the command line:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

From PowerShell:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck

From PowerShell without modifying the policy:

PS C:\Temp\> Get-Content .\PrivescCheck.ps1 | Out-String | IEX
PS C:\Temp\> Invoke-PrivescCheck

2. Extended operation

By default, the field is limited to vulnerability detection, but you can get a lot more information with the option -Extended:

Invoke-PrivescCheck -Extended

3. Create reference files

You can use the options -Reportand -Formatto save script results to files in various formats. Acceptable forms areTXTCSVHTMLand XML. If the -Formatis empty, the default format is TXT, which is a simple copy of what is printed on our terminal.

Its price -Reportwill be used as the primary name for the final report, the extension will be appended automatically depending on the selected formats.

Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%
Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML

You can download the program from here.

Read them Technology News from all over the world, with the validity of

Follow us on Google News at Google news