Windows Enumeration Script

As I’ve started learning what the most common misconfigurations are on a Windows machine I decided that I should start creating a script to automate the searching for them. I have started an initial script to search for some common things that I do every time I try to escalate a Windows machine and will continue to update and improve on it.


This is a python script that will collect some important information about the Windows system regarding patching, permission issues, and potentially leaked credentials in files and/or the registry. The intent is to continue adding to the script as I find more things to search for.

Right now it is a single file and the intial intent was to have just one file to copy around. However, I believe to make it more modular and feature rich it will need to be split up and become more of a python module or library where the intent would be to alway compile it with PyInstaller before deploying to a Windows machine.

At any rate, this is the initial script that I’m running against a Windows system and will continue to tweak and add to.


To create a single script that I can run against a Windows machine to collect targeted information. Among the information is:

  • System information and currently installed patches
  • Poorly permissioned Windows Services and Scheduled tasks (looks at both binpath file as well as directory permissions)
  • Passwords/credentials leaked in files on disk
  • unattended install files
  • Passwords/credentials in the registry


  • The script can run on its own via python3+PyWin32 if it is installed on the Windows machine
  • If not, you can use pyinstaller to turn it into an executable and move the executable to the windows machine
    • NOTE: pyinstaller supports python 3.3-3.5 (not the latest 3.6 at the time of this writing) so if you are going to use pyinstaller make sure you are targeting python 3.5 instead


  • Python3 (specifically 3.5 if you are going to use pyinstaller)
  • PyInstaller
  • PyWin32
  • accesschk.exe / accesschk64.exe

Create the self-contained Windows executable

c:\Users\sengen\Desktop>pyinstaller --onefile
78 INFO: PyInstaller: 3.2.1
78 INFO: Python: 3.5.3
78 INFO: Platform: Windows-7-6.1.7601-SP1
78 INFO: wrote c:\Users\sengen\Desktop\WinEnum.spec
78 INFO: UPX is not available.
78 INFO: Extending PYTHONPATH with paths
['c:\\Users\\sengen\\Desktop', 'c:\\Users\\sengen\\Desktop']
78 INFO: checking Analysis
78 INFO: Building Analysis because out00-Analysis.toc is non existent
78 INFO: Initializing module dependency graph...
78 INFO: Initializing module graph hooks...
78 INFO: Analyzing ...
2140 INFO: running Analysis out00-Analysis.toc
2156 INFO: Adding Microsoft.Windows.Common-Controls to dependent assemblies of f
inal executable
  required by c:\program files\python35\python.exe
2453 INFO: Caching module hooks...
2468 INFO: Analyzing c:\Users\sengen\Desktop\
2468 INFO: Loading module hooks...
2468 INFO: Loading module hook ""...
2468 INFO: Loading module hook ""...
2546 INFO: Loading module hook ""...
2718 INFO: Looking for ctypes DLLs
2718 INFO: Analyzing run-time hooks ...
2718 INFO: Looking for dynamic libraries
2812 INFO: Looking for eggs
2812 INFO: Using Python library c:\program files\python35\python35.dll
2812 INFO: Found binding redirects:
2812 INFO: Warnings written to c:\Users\sengen\Desktop\build\WinEnum\warnWinEnum
2812 INFO: checking PYZ
2812 INFO: Building PYZ because out00-PYZ.toc is non existent
2812 INFO: Building PYZ (ZlibArchive) c:\Users\sengen\Desktop\build\WinEnum\out0
3250 INFO: Building PYZ (ZlibArchive) c:\Users\sengen\Desktop\build\WinEnum\out0
0-PYZ.pyz completed successfully.
3265 INFO: checking PKG
3265 INFO: Building PKG because out00-PKG.toc is non existent
3265 INFO: Building PKG (CArchive) out00-PKG.pkg
4890 INFO: Building PKG (CArchive) out00-PKG.pkg completed successfully.
4890 INFO: Bootloader c:\program files\python35\lib\site-packages\PyInstaller\bo
4890 INFO: checking EXE
4890 INFO: Building EXE because out00-EXE.toc is non existent
4890 INFO: Building EXE from out00-EXE.toc
4890 INFO: Appending archive to EXE c:\Users\sengen\Desktop\dist\WinEnum.exe
4890 INFO: Building EXE from out00-EXE.toc completed successfully.

The repository with the script

All the future Windows enumeration and data collection script will be in the following repository (including this first one,

comments powered by Disqus