Tool / Windows Privilege Escalation Scanner

Sherlock EoP Auditor

Your Windows privilege escalation surface, surfaced.

The Sherlock EoP Auditor is a native Windows tool that maps the local privilege escalation surface of a machine the way an attacker would, then hands you the findings in plain language. It automates the manual craft our lab uses to find zero-days: enumerating privileged services, inspecting the local interfaces they expose and flagging the exact spots where a standard user could reach SYSTEM.

Built by a working vulnerability researcher to put a rare skillset (reading disassembly, walking IPC pipes, parsing service permissions) into the hands of defenders and IT teams who need the answers without the decade of reverse engineering.

Coming Soon, Join the Early-Access List See the Disclosure (PARTY LINE)

Release date is gated on coordinated vendor patch availability for SF-LABS-2026-04 PARTY LINE. We do not publish a working zero-day reproducer while users are still vulnerable. Join the early-access list for first-in-line notification when the binary ships.

Origin

Proven, Not Theoretical

The EoP Auditor is not a concept. In its first concentrated research run it discovered a previously unknown zero-day outright (PARTY LINE) and independently re-confirmed three more SYSTEM-level zero-days the lab had found by hand. One tool, four findings, all currently unpatched, every one handled under coordinated disclosure.

Track the live disclosures at the Sherlock Forensics Labs hub including SF-LABS-2026-04 PARTY LINE which was discovered start-to-finish by the EoP Auditor.

Coverage

What It Checks

Exposed control channels

Privileged services listening on local interfaces that under-privileged users can reach and whether they actually authenticate the caller.

Untrusted load paths

Places a SYSTEM process can be steered into loading code or files it should not.

Privileged operation logic

Trusted file, update and service routines that can be turned against the system.

Configuration weakness

Writable service binaries, DLL search-order gaps, unquoted service paths, weak service security descriptors, AlwaysInstallElevated policy, dangerous held token privileges, plaintext autologon credentials and user-writable autoruns.

Runtime verification (PRO)

Watch a SYSTEM service start under a trace and catch runtime DLL loads that static scanning misses.

Managed + Named-Pipe probe (PRO)

Inspect .NET SYSTEM service exposed interfaces and privileged operations. Enumerate named pipes, check which a non-admin can reach and probe them safely as a simulated standard user.

Each finding comes with a clear prioritized verdict including what it is, why it matters, the CWE class and whether a standard user can really reach it. No wall of raw output.

Audience

Who It Is For

  • IT and security teams hardening Windows fleets.
  • MSPs auditing client endpoints at scale.
  • Incident responders and forensic examiners mapping how a foothold became SYSTEM.
  • Researchers who want the grunt work automated so they can focus on judgment.

Pricing

Free and PRO

Free Edition

$0
Full passive scan, no expiry, no trial
  • Complete passive privilege escalation surface scan
  • All configuration checks (writable services, DLL paths, security descriptors, AlwaysInstallElevated, token privileges, autologon credentials, autoruns)
  • Findings show count, severity and CWE class
  • Single portable .exe, no installer, no admin install
Coming Soon, Notify Me

PRO License

$97 USD
One-time purchase, free updates
  • Runtime module: watch a SYSTEM service start under a trace and catch runtime DLL loads static scanning misses
  • Managed module: inspect a .NET SYSTEM service exposed interface and privileged operations
  • Pipes module: enumerate named pipes, check which a non-admin can reach and probe them safely as a simulated standard user
  • Full finding detail including specific service or path
  • Report export for fleet audits and compliance evidence
  • Included free in the Sherlock Suite
Coming Soon, Notify Me

System

Requirements

OS: Windows 10 / 11, 64-bit Privileges: Run as Administrator for complete results Install: None. Single portable .exe (6.6 MB) Network: Offline. No telemetry, no callbacks Signature: Authenticode EV "Sherlock Forensics Ltd" with RFC-3161 timestamp

Read the v1.0.0 release notes for the full module-by-module breakdown.

Early Access

Be First In Line

Release is gated on coordinated vendor patch availability for SF-LABS-2026-04 PARTY LINE. Drop your email to get a one-message notification the moment the binary ships and the gate clears.

Be the first to know when Sherlock EoP Auditor 1.0.0 is available. We use your email only for the release notification.

For enterprise or MSP licensing inquiries before public release or for pre-release access under a research NDA, contact labs@sherlockforensics.com directly.

Why Sherlock

Built by the Lab That Finds Zero-Days

The EoP Auditor is built and battle-tested by the same lab whose coordinated disclosures you can track in real time. Court-defensible rigor, responsible disclosure discipline and original research, in a tool. Lead researcher Ryan Purita is a Principal Security Consultant with CISSP, ISSAP and ISSMP certifications and 20 years of courtroom-tested digital forensics work.

For enterprise or MSP licensing or a guided fleet review, contact labs@sherlockforensics.com.