> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/startup-applications.md).

# Startup Applications

## Overview

Similar to [AutoRuns](/windows-privilege-escalation/registy/autoruns.md), the concept of exploiting startup applications is that we configure a malicious executable as a startup application and hopefully get a Admin shell back when the computer reboots and a Administrator logs in.

## Escalation via Startup Applications

View permissions on startup folder using [icacls.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls)

```powerquery
 icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
```

<figure><img src="/files/Tqy0BuKso4h4Ii6yAFVP" alt=""><figcaption><p>Desired output</p></figcaption></figure>
