{"id":15033664,"url":"https://github.com/itm4n/privesccheck","last_synced_at":"2026-04-02T16:53:18.289Z","repository":{"id":38023568,"uuid":"234315083","full_name":"itm4n/PrivescCheck","owner":"itm4n","description":"Privilege Escalation Enumeration Script for Windows","archived":false,"fork":false,"pushed_at":"2024-10-29T14:55:09.000Z","size":5746,"stargazers_count":2948,"open_issues_count":0,"forks_count":426,"subscribers_count":80,"default_branch":"master","last_synced_at":"2024-10-29T15:35:18.249Z","etag":null,"topics":["pentest-tool","pentesting","privilege-escalation","windows","windows-privilege-escalation"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itm4n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-16T12:28:10.000Z","updated_at":"2024-10-29T14:55:13.000Z","dependencies_parsed_at":"2023-02-16T01:30:41.124Z","dependency_job_id":"4c1b2656-6044-4efe-b78c-965ecd4c6c0a","html_url":"https://github.com/itm4n/PrivescCheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrivescCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itm4n","download_url":"https://codeload.github.com/itm4n/PrivescCheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248243488,"owners_count":21071054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pentest-tool","pentesting","privilege-escalation","windows","windows-privilege-escalation"],"created_at":"2024-09-24T20:22:16.017Z","updated_at":"2026-04-02T16:53:18.269Z","avatar_url":"https://github.com/itm4n.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PrivescCheck\n\nQuickly identify common Windows **vulnerabilities** and **configuration issues** that are not necessarily covered by public security standards, and collect useful information for exploitation and post-exploitation tasks.\n\n\u003e [!IMPORTANT]\n\u003e A major aspect to be aware of when using this tool is that all access control checks are done in the context of the current user. Therefore, if it is run with administrator privileges, a lot of vulnerability checks are actually skipped to avoid generating incorrect findings.\n\n## :rocket: Quick Start\n\nDownload the script here: [PrivescCheck.ps1](https://github.com/itm4n/PrivescCheck/releases/latest/download/PrivescCheck.ps1)\n\n\u003e [!TIP]\n\u003e The link above can also be used directly in a PowerShell terminal with `(New-Object Net.WebClient).DownloadString(...)`.\n\n### Use Case 1 (Pentest): Run Basic Checks Only\n\nIs there an obvious way to escalate privileges locally?\n\n```bat\npowershell -ep bypass -c \". .\\PrivescCheck.ps1; Invoke-PrivescCheck\"\n```\n\n### Use Case 2 (Research): Run Extended Checks + Write Human-Readable Reports\n\nIs there additional information that can be leveraged for post-exploitation or for finding vulnerabilities in third-party software?\n\n```bat\npowershell -ep bypass -c \". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML\"\n```\n\n### Use Case 3 (Audit): Run All Checks + Write All Reports\n\nAre there configuration issues that are not covered by common security standards?\n\n```bat\npowershell -ep bypass -c \". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML\"\n```\n\n## :open_book: Detailed Usage\n\n```txt\nInvoke-PrivescCheck [-Extended] [-Audit] [-Experimental] [-Report \u003cPREFIX\u003e]\n    [-Format \u003cFORMAT\u003e[,...]] [-Risky] [-Silent] [-Force]\n\n    -Extended\n        Include all \"extended\" checks in the scan (see README).\n\n    -Audit\n        Include all \"audit\" checks in the scan.\n\n    -Experimental\n        Include all \"experimental\" checks in the scan. Use only if you know\n        what you are doing.\n\n    -Report \u003cPREFIX\u003e\n        Generate at least one report file. The output filename will be\n        \"PREFIX.txt\" by default. The extension is automatically appended\n        based on the report format (see \"-Format \u003cFORMAT\u003e[,...]\").\n\n    -Format \u003cFORMAT\u003e[,...]\n        Specify the format of the output report file(s). If not set, the\n        default value is \"TXT\". Supported formats are: \"TXT\", \"HTML\", \"CSV\",\n        and \"XML\".\n\n    -Risky\n        Include checks marked as \"risky\", i.e. checks that are likely to\n        trigger a blocking action by an endpoint protection solution. Use with\n        caution.\n\n    -Silent\n        Suppress terminal output. This can be useful if you want to run the\n        script as part of a batch file, in a scheduled task for instance.\n\n    -Force\n        Force execution and ignore warnings. Typically, the script stops if\n        it is executed with administrator privileges. Use this option to\n        execute it anyway.\n```\n\n### Report Format \u003e TXT (`-Format TXT`)\n\nUse the option `-Report \u003cPREFIX\u003e` (with `-Format TXT`) to specify that you want to generate a **raw text report**. The output is similar to what you would see in the terminal, except that it contains only ASCII characters for better (retro-)compatibility will all text editors.\n\n![Screenshot of a raw text report generated by PrivescCheck](./img/screenshot_txt_report.png)\n\n### Report Format \u003e HTML (`-Format HTML`)\n\nUse the option `-Report \u003cPREFIX\u003e` with `-Format HTML` to specify that you want to generate an **HTML report**. The output file can be opened in a web browser. It is more convenient for visualizing the data than the raw text report. Additionally, it offers **sorting** and **filtering** capabilities!\n\n![Screenshot of an HTML report generated by PrivescCheck](./img/screenshot_html_report.png)\n\n### Report Format \u003e CSV  (`-Format CSV`) \u0026 XML  (`-Format XML`)\n\nUse the option `-Report \u003cPREFIX\u003e` with `-Format CSV` or `-Format XML` to specify that you want to generate a **CSV or XML report**. The output file is intended to facilitate the parsing of the results by automated reporting tools.\n\n\u003e [!NOTE]\n\u003e Although the output format is not documented (yet), you can easily figure it out by analyzing the structure of an already generated file. You can use the `Id` value of each check to uniquely identify them.\n\n### Check Type \u003e Base\n\nChecks of type `Base` will always be executed, unless the script is run as an administrator. They are mainly intended for identifying privilege escalation vulnerabilities, or other important issues.\n\n### Check Type \u003e Extended (`-Extended`)\n\nChecks of type `Extended` can only be executed if the option `-Extended` is specified on the command line. They are mainly intended for providing additional information that could be useful for exploit development, or post-exploitation.\n\n### Check Type \u003e Audit (`-Audit`)\n\nChecks of type `Audit` can only be executed if the option `-Audit` is specified on the command line. They are mainly intended for providing information that is relevant in the context of a configuration audit.\n\n## :bulb: Tips \u0026 Tricks\n\n### PowerShell Execution Policy\n\nBy default, the PowerShell [execution policy](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies) is set to `Restricted` on clients, and `RemoteSigned` on servers, when a new `powershell.exe` process is started. These policies block the execution of (unsigned) scripts, but they can be overridden within the current scope as follows.\n\n```powershell\nSet-ExecutionPolicy Bypass -Scope Process -Force\n. .\\PrivescCheck.ps1\n```\n\nHowever, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.\n\n```powershell\nGet-Content .\\PrivescCheck.ps1 | Out-String | Invoke-Expression\n```\n\n### PowerShell Version 2\n\nA common way to bypass [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) consists in using PSv2 as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this retro-compatibility.\n\n\u003e [!NOTE]\n\u003e Although PowerShell version 2 ~~is still enabled by default on recent versions of Windows~~ ([PowerShell 2.0 removal from Windows](https://support.microsoft.com/en-us/topic/powershell-2-0-removal-from-windows-fe6d1edc-2ed2-4c33-b297-afe82a64200a)), it cannot run without the .Net framework version 2.0, which requires a manual install.\n\n### Metasploit timeout\n\nIf you run this script within a Meterpreter session, you will likely get a \"timeout\" error. This is because Metasploit uses a default timeout value of 15 seconds, which is not enough for a typical execution of the script to complete.\n\n```console\nmeterpreter \u003e load powershell\nLoading extension powershell...Success.\nmeterpreter \u003e powershell_import /local/path/to/PrivescCheck.ps1\n[+] File successfully imported. No result was returned.\nmeterpreter \u003e powershell_execute \"Invoke-PrivescCheck\"\n[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.\n```\n\nIt is possible to set a different timeout thanks to the `-t` option of the `sessions` command ([documentation](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/)). In the following example, a timeout of 2 minutes is set for the session with ID `1`, but you might want to set an even higher value.\n\n```console\nmsf6 exploit(multi/handler) \u003e sessions -t 120 -i 1\n[*] Starting interaction with 1...\nmeterpreter \u003e powershell_execute \"Invoke-PrivescCheck\"\n```\n\n## :bookmark_tabs: Credits\n\n- Word list - [CBHue/PyFuscation](https://github.com/CBHue/PyFuscation)\n- Vulnerable driver list - [https://www.loldrivers.io/api/drivers.csv](https://www.loldrivers.io/api/drivers.csv)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitm4n%2Fprivesccheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitm4n%2Fprivesccheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitm4n%2Fprivesccheck/lists"}