Token Elevation
Windows uses a split-token model for accounts with administrative rights. By default, the session runs with a standard UAC token that restricts most privileges, while a full elevated token containing the complete privilege set remains unused until explicitly invoked. Privilege escalation can be achieved by launching a shell with the elevated token, granting immediate access to all administrative rights already assigned to the account. This shift removes UAC restrictions and enables full local administrator control for further operations.
# Initial session as x7331 (normal shell)
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# Second session as x7331 (admin shell)
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeSystemtimePrivilege Change the system time Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledLast updated
Was this helpful?