Token Elevation

Windows uses a split-token model for accounts with administrative rights. By default, the session runs with a standard UAC token that restricts most privileges, while a full elevated token containing the complete privilege set remains unused until explicitly invoked. Privilege escalation can be achieved by launching a shell with the elevated token, granting immediate access to all administrative rights already assigned to the account. This shift removes UAC restrictions and enables full local administrator control for further operations.

# Initial session as x7331 (normal shell)
> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

# Second session as x7331 (admin shell)
> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== ========
SeMachineAccountPrivilege     Add workstations to domain          Disabled
SeSystemtimePrivilege         Change the system time              Disabled
SeBackupPrivilege             Back up files and directories       Disabled
SeRestorePrivilege            Restore files and directories       Disabled
SeShutdownPrivilege           Shut down the system                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Disabled
SeTimeZonePrivilege           Change the time zone                Disabled

PreviousPrivileges NextSeBackup

Last updated 5 months ago