# Sherlock EoP Auditor — Release Notes

## v1.0.0 — first public release (2026-06-16)

**Sherlock EoP Auditor** maps a Windows machine's local privilege-escalation (EoP)
surface the way an attacker would, then reports it in plain language. Built by the
Sherlock Forensics lab — the same tooling behind our coordinated vulnerability
disclosures.

### What it does
- **Passive surface scan** of third-party SYSTEM services and the local
  configuration that lets a standard user reach SYSTEM, including:
  - Writable service binaries / directories and DLL search-order (phantom DLL) gaps
  - Unquoted service paths
  - Weak service security descriptors (a non-admin able to reconfigure a SYSTEM service)
  - AlwaysInstallElevated policy
  - Dangerous held token privileges (SeImpersonate and friends)
  - Plaintext autologon credentials
  - User-writable autoruns
- **Findings** are prioritized by severity and labelled by CWE class, each with a
  plain-language "what it means / how to fix."
- **Active verification modules (PRO):**
  - **Runtime** — watch a SYSTEM service start under a trace and catch runtime DLL loads static scanning misses.
  - **Managed** — inspect a .NET SYSTEM service's exposed interface and privileged operations.
  - **Pipes** — enumerate named pipes, check which a non-admin can reach, and probe them safely as a simulated standard user.
- **Report export (PRO).**

### Free vs PRO
- **Free:** the full passive scan and all configuration checks. Findings show the
  count, severity, and CWE class; the specific service/path is unlocked with PRO.
- **PRO:** the three active verification modules, report export, and full finding detail.

### Safety
- The scan is **read-only** — it only reads the registry and files.
- The active PRO tools include tests that can restart, overwrite, or briefly hang a
  service; each is clearly labelled **"ACTIVE TEST — changes the system"** and asks
  for confirmation before it runs. Run those on test machines, not production.

### Notes
- Windows 10/11 (x64). Run as Administrator for complete results.
- Some checks shell out to built-in Windows tools (`sc`, `whoami`); the Runtime
  module can use Sysinternals Procmon and the Managed module the .NET SDK `ildasm`
  when present (the app will point you to them if missing).

### Integrity
- Signed with the Sherlock Forensics Ltd. EV code-signing certificate (SSL.com).
- A `.sha256` sidecar accompanies the download; verify before running.