OpenSkillIndex← back to search

Hacktricks-skills windows-seimpersonate-privilege-escalation

Windows privilege escalation technique using SeImpersonate to escalate from High Integrity to SYSTEM. Use this skill when the user needs to escalate privileges on Windows, mentions token impersonation, SeImpersonate, or wants to run commands as SYSTEM from a High Integrity context. Also trigger when the user has administrative access and wants to impersonate process tokens like winlogon.exe or svchost.exe.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system/SKILL.MD
source content

Windows SeImpersonate Privilege Escalation

This skill helps you escalate from High Integrity to SYSTEM on Windows using token impersonation via the SeImpersonate technique.

When to Use This Technique

Use this approach when:

  • You have High Integrity (Administrator) access on Windows
  • You need SYSTEM-level privileges
  • You can identify a process running as SYSTEM (like 
    winlogon.exe
    , 
    wininit.exe
    )
  • You have 
    SeDebugPrivilege
    or can enable it

Prerequisites

  1. High Integrity Context: You must be running as an Administrator with High Integrity level
  2. SeDebugPrivilege: Required to open and manipulate process tokens
  3. Target Process: A SYSTEM-owned process with appropriate permissions (winlogon.exe is ideal)

How It Works

The technique exploits Windows token manipulation:

  1. Enable 
    SeDebugPrivilege
    on your current process
  2. Open the target process (e.g., winlogon.exe) with 
    PROCESS_QUERY_LIMITED_INFORMATION
  3. Open the process's access token with 
    MAXIMUM_ALLOWED
    access
  4. Impersonate the logged-on user from that token
  5. Duplicate the token to create a primary token
  6. Spawn a new process (cmd.exe) using the duplicated SYSTEM token

Usage

Step 1: Find a Suitable Target Process

Identify a process running as SYSTEM that Administrators can impersonate:

# Find winlogon.exe PID (usually safe to impersonate)
Get-Process winlogon | Select-Object Id, ProcessName

# Alternative: Check svchost.exe processes
Get-Process svchost | Select-Object Id, ProcessName

Important: Not all SYSTEM processes can be impersonated. 

winlogon.exe
is typically the best target because Administrators have "Read Memory" and "Read Permissions" privileges on it.

Step 2: Compile the Impersonation Tool

Use the provided C++ code (see 

scripts/impersonateuser.cpp
) or compile it:

# Using Visual Studio Developer Command Prompt
cl /EHsc impersonateuser.cpp /link advapi32.lib

# Or using MinGW
x86_64-w64-mingw32-g++ -o impersonateuser.exe impersonateuser.cpp -ladvapi32

Step 3: Run the Impersonation

# Replace 1234 with the actual PID of winlogon.exe
impersonateuser.exe 1234

If successful, a new 

cmd.exe
will spawn running as SYSTEM.

Step 4: Verify SYSTEM Access

In the spawned command prompt:

whoami
# Should return: NT AUTHORITY\SYSTEM

Troubleshooting

Error 5 (Access Denied)

If you see:

[-] ImpersonatedLoggedOnUser() Error: 5
[-] DuplicateTokenEx() Error: 5

This means you don't have sufficient permissions on the target process.

Solution: Check process permissions:

  1. Open Process Explorer
  2. Right-click the target process → Properties
  3. Go to Security tab → Permissions → Advanced
  4. Check what privileges "Administrators" have

Good targets have "Read Memory" and "Read Permissions" for Administrators.

Error 1326 (Logon Failure)

[-] CreateProcessWithTokenW Error: 1326

This indicates the token couldn't be used to create a new process.

Solutions:

  • Try a different target process (winlogon.exe is most reliable)
  • Ensure you're running with High Integrity (not just Administrator)
  • Check if UAC is interfering

OpenProcess Fails

[-] OpenProcess() Error: 5

Solution: Ensure 

SeDebugPrivilege
is enabled. The code does this automatically, but verify you're running as Administrator.

Alternative: PowerShell One-Liner

For quick testing without compilation, use this PowerShell approach:

# Enable SeDebugPrivilege
$token = [System.Security.Principal.WindowsIdentity]::GetCurrent().Token
$privilege = New-Object System.Security.AccessControl.TokenPrivilege "SeDebugPrivilege"
$token.AdjustPrivileges($privilege, $true)

# Get winlogon PID
$pid = (Get-Process winlogon).Id

# Use a compiled tool or alternative method

Note: Full token impersonation requires native code; PowerShell alone cannot complete the impersonation.

Security Considerations

  • Authorized Use Only: This technique should only be used on systems you own or have explicit permission to test
  • Detection: This activity may be logged and detected by EDR solutions
  • Persistence: The spawned cmd.exe is temporary; use it to establish persistence if needed

Related Techniques

  • Token Theft: Stealing tokens from memory
  • Process Injection: Injecting code into SYSTEM processes
  • Named Pipe Impersonation: Using named pipes for token theft

References