The privilege module exposes helpers for enabling specific Windows privileges inside the current mimikatz process. Internally each command calls RtlAdjustPrivilege with the privilege identifier supplied by the command, so the change only affects mimikatz' access token and lasts for the duration of the process. This is a prerequisite for any later command that needs that privilege to succeed.
All commands share the same syntax:
privilege::<command> [options]
privilege::id expects a numeric privilege identifier (decimal or hexadecimal).privilege::name expects the textual name of a privilege (for example SeDebugPrivilege).Every command prints either Privilege '<id>' OK when the enable call succeeds or an error that mimics the RtlAdjustPrivilege failure code returned by Windows.【F:mimikatz/mimikatz/modules/kuhl_m_privilege.c†L26-L34】
mimikatz # privilege::name SeDebugPrivilege
Privilege '20' OK
If you forget a required argument, mimikatz prints a usage error generated by the helper:
mimikatz # privilege::id
ERROR kuhl_m_privilege_id ; Missing 'id'
The table below lists the predefined commands exported by the module and the privilege each one enables.【F:mimikatz/mimikatz/modules/kuhl_m_privilege.c†L8-L95】【F:mimikatz/mimikatz/modules/kuhl_m_privilege.h†L24-L59】
| Command | Privilege constant | Numeric identifier | When to use |
|---|---|---|---|
privilege::debug |
SE_DEBUG (SeDebugPrivilege) |
20 | Required before attaching to or reading the memory of processes you do not own. Many credential extraction features rely on it to inspect LSASS or other protected system processes. |
privilege::driver |
SE_LOAD_DRIVER (SeLoadDriverPrivilege) |
10 | Needed when loading unsigned or custom kernel drivers, e.g., before invoking !process or other driver-based features. |
privilege::security |
SE_SECURITY (SeSecurityPrivilege) |
8 | Grants the ability to read and set the System Access Control Lists (SACLs) on objects. Enable it prior to auditing or manipulating SACL entries. |
privilege::tcb |
SE_TCB (SeTcbPrivilege) |
7 | Trusted Computing Base privilege required for tasks such as creating or impersonating tokens across sessions. Some Kerberos and SSO experiments rely on it. |
privilege::backup |
SE_BACKUP (SeBackupPrivilege) |
17 | Allows opening any file for backup, bypassing file ACL checks. Enable it before dumping registry hives or other locked files. |
privilege::restore |
SE_RESTORE (SeRestorePrivilege) |
18 | Complements SeBackupPrivilege when writing data back, such as restoring hives or copying protected files. |
privilege::sysenv |
SE_SYSTEM_ENVIRONMENT (SeSystemEnvironmentPrivilege) |
22 | Required to read or modify firmware environment variables (e.g., manipulating boot configuration data stored in NVRAM). |
privilege::id <identifier> |
Custom | Any listed in the table below | Enables an arbitrary privilege by numeric identifier, useful for privileges without convenience commands or when automating scripts. |
privilege::name <name> |
Custom | Resolved at runtime | Looks up a privilege name such as SeCreateTokenPrivilege and enables it without memorising the numeric value. |
privilege::debugmimikatz # privilege::debug
Privilege '20' OK
Use this before dumping credentials from LSASS or attaching a debugger to protected system processes.
privilege::drivermimikatz # privilege::driver
Privilege '10' OK
Enable this when you plan to load custom or unsigned kernel drivers through mimikatz modules or auxiliary tooling.
privilege::securitymimikatz # privilege::security
Privilege '8' OK
Activate this to view or modify SACL entries while auditing or tweaking security descriptors.
privilege::tcbmimikatz # privilege::tcb
Privilege '7' OK
Grant this right before creating or impersonating logon tokens across sessions during Kerberos or SSO experiments.
privilege::backupmimikatz # privilege::backup
Privilege '17' OK
Use this privilege prior to dumping registry hives or copying files that regular ACLs would block.
privilege::restoremimikatz # privilege::restore
Privilege '18' OK
Pair this with SeBackupPrivilege when you need to write protected files back to disk or restore modified hives.
privilege::sysenvmimikatz # privilege::sysenv
Privilege '22' OK
Enable this before working with firmware variables or manipulating EFI/UEFI boot configuration data.
privilege::idprivilege::id is a thin wrapper over the common helper that parses the first argument with wcstoul, so you can pass decimal (17), hexadecimal (0x11), or even octal values. Use this when Windows introduces a newer privilege constant or when you need one of the less common rights that do not have a dedicated shortcut command.【F:mimikatz/mimikatz/modules/kuhl_m_privilege.c†L36-L44】
mimikatz # privilege::id 0x1d
Privilege '29' OK
This example enables SeImpersonatePrivilege (0x1d == 29) so that subsequent token impersonation calls succeed.
privilege::nameprivilege::name accepts the canonical Se<Name>Privilege string and resolves it to a Local Unique Identifier (LUID) through LookupPrivilegeValue. It validates that the LUID fits within the 32-bit range used by RtlAdjustPrivilege before enabling it. This is the most readable way to script privilege elevation because it avoids hard-coding numeric values.【F:mimikatz/mimikatz/modules/kuhl_m_privilege.c†L45-L62】
mimikatz # privilege::name SeCreateSymbolicLinkPrivilege
Privilege '35' OK
This call is equivalent to privilege::id 35 and enables symbolic link creation on systems without Developer Mode.
The header enumerates all privilege identifiers understood by the helper, making it easy to identify the integer you must supply to privilege::id. Only a subset has direct commands, but any of them can be enabled by number or by name.【F:mimikatz/mimikatz/modules/kuhl_m_privilege.h†L24-L59】
| Identifier | Privilege | Typical scenario |
|---|---|---|
| 2 | SeCreateTokenPrivilege |
Needed to create access tokens programmatically or duplicate them in security research. |
| 3 | SeAssignPrimaryTokenPrivilege |
Required to assign a primary token to a new process, often used in privilege escalation testing. |
| 4 | SeLockMemoryPrivilege |
Permits locking pages in memory; useful when testing Direct Memory Access tooling or drivers. |
| 5 | SeIncreaseQuotaPrivilege |
Allows raising process quotas, required for some job object manipulations. |
| 6 | SeUnsolicitedInputPrivilege |
Legacy privilege rarely used; kept for completeness when replicating legacy subsystems. |
| 7 | SeTcbPrivilege |
See privilege::tcb above. |
| 8 | SeSecurityPrivilege |
See privilege::security above. |
| 9 | SeTakeOwnershipPrivilege |
Enables taking ownership of objects without ACL access, useful before modifying protected registry keys or files. |
| 10 | SeLoadDriverPrivilege |
See privilege::driver above. |
| 11 | SeSystemProfilePrivilege |
Grants profiling of system performance counters, aiding low-level performance analysis. |
| 12 | SeSystemtimePrivilege |
Required to adjust the system clock; relevant when testing time-based Kerberos attacks. |
| 13 | SeProfileSingleProcessPrivilege |
Lets you profile a single process, helpful for targeted performance or forensic work. |
| 14 | SeIncreaseBasePriorityPrivilege |
Enables changing base priority classes, useful for experiments with scheduler behaviour. |
| 15 | SeCreatePagefilePrivilege |
Necessary to create or resize page files during system configuration exercises. |
| 16 | SeCreatePermanentPrivilege |
Allows creating permanent objects in the object manager namespace; useful in kernel research. |
| 17 | SeBackupPrivilege |
See privilege::backup above. |
| 18 | SeRestorePrivilege |
See privilege::restore above. |
| 19 | SeShutdownPrivilege |
Needed to shut down or restart the computer programmatically. |
| 20 | SeDebugPrivilege |
See privilege::debug above. |
| 21 | SeAuditPrivilege |
Allows generating security audit records; necessary when simulating auditing subsystems. |
| 22 | SeSystemEnvironmentPrivilege |
See privilege::sysenv above. |
| 23 | SeChangeNotifyPrivilege |
Bypasses traverse checking; useful when traversing directories without explicit ACL entries. |
| 24 | SeRemoteShutdownPrivilege |
Required for shutting down remote systems using tools like shutdown.exe. |
| 25 | SeUndockPrivilege |
Grants undocking laptops without local logon; retained for completeness in hardware testing. |
| 26 | SeSyncAgentPrivilege |
Enables synchronizing directory service data; useful for testing domain replication scenarios. |
| 27 | SeEnableDelegationPrivilege |
Required to mark accounts as trusted for delegation while testing Kerberos delegation. |
| 28 | SeManageVolumePrivilege |
Needed to run defragmentation or volume maintenance utilities that bypass ACL checks. |
| 29 | SeImpersonatePrivilege |
Lets a process impersonate an access token; fundamental to many privilege escalation techniques. |
| 30 | SeCreateGlobalPrivilege |
Required to create named objects in global namespaces on Terminal Services systems. |
| 31 | SeTrustedCredManAccessPrivilege |
Grants access to Credential Manager as a trusted caller. |
| 32 | SeRelabelPrivilege |
Allows changing the integrity level of objects, relevant for Mandatory Integrity Control experiments. |
| 33 | SeIncreaseWorkingSetPrivilege |
Required to increase the working set size of a process. |
| 34 | SeTimeZonePrivilege |
Needed to change the system time zone configuration. |
| 35 | SeCreateSymbolicLinkPrivilege |
Required to create symbolic links without Developer Mode on newer Windows versions. |
Tip: When automation is required, call
privilege::name <SePrivilege>in scripts instead of memorising identifier values, and only escalate the privileges you actually need to maintain a minimal attack surface.