> For the complete documentation index, see [llms.txt](https://karim-ashraf.gitbook.io/karim_ashraf_space/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/windows-privilege-escalation/user-enumeration.md). # User Enumeration ## 1. User Information Commands ### 1.1 Current Username **Commands:** ```cmd echo %USERNAME% whoami ``` Or, using PowerShell: ```powershell $env:USERNAME ``` **Description:**\ Displays the username of the currently logged-in user. **Output:**\ The current username is shown. ### 1.2 List Users **Commands:** ```cmd net user ``` Or, for a more detailed view in PowerShell: ```powershell Get-LocalUser | Format-Table Name, Enabled, LastLogon ``` Or, to list user profiles: ```powershell Get-ChildItem C:\Users -Force | Select-Object Name ``` **Description:**\ Lists all local user accounts, showing their status and last logon time. **Output:**\ A list of all users on the system. ### 1.3 User Privileges **Commands:** To display privileges: ```cmd whoami /priv ``` To view group memberships: ```cmd whoami /groups ``` For comprehensive user details: ```cmd whoami /all ``` **Description:**\ These commands provide detailed information about user privileges and group memberships. **Output:**\ Displays user privileges, group memberships, and other detailed information. *** ## 2. Group Information Commands ### 2.1 List All Local Groups **Commands:** ```cmd net localgroup ``` Or, using PowerShell: ```powershell Get-LocalGroup | Format-Table Name ``` **Description:**\ Lists all local groups on the system. **Output:**\ Displays a list of local groups. ### 2.2 Group Details **Commands:** To view members of a specific group (e.g., Administrators): ```cmd net localgroup administrators ``` For detailed member information using PowerShell: ```powershell Get-LocalGroupMember Administrators | Format-Table Name, PrincipalSource ``` **Description:**\ Provides details about the members of a specified local group. **Output:**\ Lists the group members, including their source (local or domain). *** ## 3. Domain Controller Commands ### 3.1 Get Domain Controllers **Commands:** To list domain controllers: ```cmd nltest /DCLIST:DomainName ``` To get the current domain controller: ```cmd nltest /DCNAME:DomainName ``` To query for a domain controller based on specific criteria: ```cmd nltest /DSGETDC:DomainName ``` **Description:**\ Queries the domain for information about domain controllers. **Output:**\ Displays domain controllers' names and details, useful for network configuration and security assessments. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/windows-privilege-escalation/user-enumeration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.