Need help with PrivescCheck?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

1.4K Stars 250 Forks BSD 3-Clause "New" or "Revised" License 158 Commits 3 Opened issues


Privilege Escalation Enumeration Script for Windows

Services available


Need anything else?

Contributors list

# 34,994
157 commits


This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

The purpose of this tool is to help security consultants identify potential weaknesses on Windows machines during penetration tests and Workstation/VDI audits. It is not intended to be used during Red Team engagements although it may still provide you with a lot of useful information.

This tool is heavily inspired from the amazing work that @harmj0y and @mattifestation put in PowerUp. The two original authors decided to switch to DotNet and are now working on the great SeatBelt project, which explains why PowerUp is no longer maintained. Although SeatBelt brings some undeniable benefits, I think that a standalone PowerShell script is still a good way to go for most pentesters, hence the motivation behind the creation of this tool.

You can find more information about PrivescCheck here.


1. Basic usage

From a command prompt:

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck

From a PowerShell prompt without modifying the execution policy:

PS C:\Temp\> Get-Content .\PrivescCheck.ps1 | Out-String | IEX
PS C:\Temp\> Invoke-PrivescCheck

2. Extended mode

By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the

Invoke-PrivescCheck -Extended

3. Generate report files

You can use the

options to save the results of the script to files in various formats. Accepted formats are
. If
is empty, the default format is
, which is a simple copy of what is printed on the terminal.

The value of

will be used as the base name for the final report, the extension will be automatically appended depending on the chosen format(s).
Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME%
Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML

Bug reporting. Feature Request. Overall enhancement.

  • You think you identified a bug or a false positive/negative?
  • You think a particular check is missing?
  • You think something could be improved?

That's awesome! :slightlysmilingface: Please let me know by opening an issue and include as much detail as possible.

Especially if it's a bug, I will need: - The Windows version and the PowerShell version. - The script output (do not forget to remove sensitive information).

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.