Windows privesc: unquoted service paths, weak service binary permissions, token impersonation (PrintSpoofer, Potato attacks), AlwaysInstallElevated, UAC bypass, DLL hijacking, kernel exploits.
WinPEAS automates Windows privilege escalation enumeration. Unquoted service path: C:\Program Files\Vulnerable App\service.exe → try C:\Program.exe (runs as SYSTEM). PrintSpoofer/Potato attacks escalate from SeImpersonatePrivilege (IIS service accounts) to SYSTEM.