Skip to content
Windows Privesc Check - PowerShell
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
WindowsPrivescCheck Fixed module definition parameters Jun 4, 2014
LICENSE Added LICENSE Jun 4, 2014

Windows Privesc Check - Powershell

After trying to fix the code of the original Windows Privesc Check tool and crying rivers of blood I decided to look for a more appropriate tool for the task. This is an experiment to implement similar functionality in Powershell, that is available by default in every Windows installation since Windows 7/Server 2008 R2.

This is my first Powershell project, but I still hope that my code will be better than the monolithic Python-Pyinstaller-ASCIIonly predecessor. Pull requests/Issue reports are welcome of course.

Current functionality

  • Check insecure permissions on
    • Service binaries
    • Directories in %PATH%
    • Files under %SYSTEMROOT%
    • Service related registry keys


I just try to list the most important things here:

  • Checks for DLL hijacking (will need PowerShell PETools)
  • Checks for Group Policy Preferences
  • Checks for Unattended.xml
  • Checks for unquoted service binary paths
  • Checks for registry key linking
  • Checks for Autorun and Startup scripts
  • Password policy checks

Similar tools

Similar functionality is implemented by the following tools:


@andrew_kabai for pointing me to PowerUp

@Carlos_Perez for his fine tutorials:

You can’t perform that action at this time.