1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# Get-ProcessTokenPrivilege
## SYNOPSIS
Returns all privileges for the current (or specified) process ID.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
## SYNTAX
```
Get-ProcessTokenPrivilege [[-Id] <UInt32>] [-Special]
```
## DESCRIPTION
First, if a process ID is passed, then the process is opened using OpenProcess(),
otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
OpenProcessToken() is then used to get a handle to the specified process token.
The token
is then passed to Get-TokenInformation to query the current privileges for the specified
token.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ProcessTokenPrivilege
```
Privilege Attributes ProcessId
--------- ---------- ---------
SeShutdownPrivilege DISABLED 2600
SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600
SeUndockPrivilege DISABLED 2600
SeIncreaseWorkingSetPrivilege DISABLED 2600
SeTimeZonePrivilege DISABLED 2600
### -------------------------- EXAMPLE 2 --------------------------
```
Get-ProcessTokenPrivilege -Special
```
Privilege Attributes ProcessId
--------- ---------- ---------
SeSecurityPrivilege DISABLED 2444
SeTakeOwnershipPrivilege DISABLED 2444
SeBackupPrivilege DISABLED 2444
SeRestorePrivilege DISABLED 2444
SeSystemEnvironmentPriv...
DISABLED 2444
SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444
### -------------------------- EXAMPLE 3 --------------------------
```
Get-Process notepad | Get-ProcessTokenPrivilege | fl
```
Privilege : SeShutdownPrivilege
Attributes : DISABLED
ProcessId : 2640
Privilege : SeChangeNotifyPrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
ProcessId : 2640
Privilege : SeUndockPrivilege
Attributes : DISABLED
ProcessId : 2640
Privilege : SeIncreaseWorkingSetPrivilege
Attributes : DISABLED
ProcessId : 2640
Privilege : SeTimeZonePrivilege
Attributes : DISABLED
ProcessId : 2640
## PARAMETERS
### -Id
The process ID to enumerate token groups for, otherwise defaults to the current process.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases: ProcessID
Required: False
Position: 1
Default value: 0
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -Special
Switch.
Only return 'special' privileges, meaning admin-level privileges.
These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,
SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: Privileged
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.TokenGroup
Outputs a custom object containing the token group (SID/attributes) for the specified token if
"-InformationClass 'Groups'" is passed.
PowerUp.TokenPrivilege
Outputs a custom object containing the token privilege (name/attributes) for the specified token if
"-InformationClass 'Privileges'" is passed
## NOTES
## RELATED LINKS
|