Home Breaking out of Windows Environments

Breaking out of Windows Environments

Collection of different things to try when attempting to breakout of a Windows environment such as Citrix, AWS AppStream, CyberArk PSM, etc.

  1. General Tips & Ideas
  2. Keyboard Shortcuts
  3. Restricted CMD Shell
  4. CMD/PowerShell Blocked
  5. Allowed Applications
  6. Checks to Perform After Breaking Out

General Tips & Ideas


  • Attempt to open Dialog Windows in the application such as Open, Save, New, Import, Export, etc.
  • When Saving/Exporting, does the file auto open? Is there an Auto Open option.
  • If the Dialog window is restricted, always right click in the Window and on Files to look for additional options.


  • Look for Help/About/Guide pages and options in the application to try and launch a Web Browser.
  • Look for hyperlinks in the UI as they may be opened by a browser when clicked.

Sticky Keys

  • (Shift x5)
  • Click Ease of Access link.
  • Control Panel should now be open if it’s allowed.


  • (Win + +)
  • Settings Icon
  • Click Control whether Magnifier starts when I sign in.
  • Control Panel should now be open if it’s allowed.


  • (Win + Enter).
  • A small window may open in the bottom left. If so, enlarge it.
  • Click General.
  • Click Control whether Narrator starts when I sign in.
  • Control Panel should now be open if it’s allowed.

Interrupt Startup

  • Are there any process/setups that can be interrupted (e.g. using CTRL + C) during startup/loading of the session?
  • Can Task Manager be opened while the session is loading?

Right Click

  • Right click everywhere in and on the application to find additional options. This can lead to more opportunities to try the above steps.

Keyboard Shortcuts

Various key combinations to press to try and abuse the target application into opening Windows functionality.

  • Windows Key
  • Ctrl + Alt + End
  • Ctrl + Alt + Del
  • Ctrl + Alt + Ins
  • Ctrl + Alt + Esc
  • Win + R
  • Win + E
  • Alt + Tab
  • Print functionality (Ctrl + P).
  • (Windows + Left/Right/Up/Down) to Move the app.

Restricted CMD Shell

Idea 1:

  • Open explorer from CMD (if allowed).
  • Enter CMD in the location bar.
  • See if new CMD prompt is restricted.

Idea 2:

  • While in a restricted shell change directory to C:\Windows\System32.
  • Run cmd.exe.
  • See if new CMD prompt is restricted.

Idea 3:

  • Same as Idea 2, but with PowerShell directory.
  • Run powershell.exe or powershell_ise.exe.

CMD/PowerShell Blocked

Idea 1:

  • If CMD is blocked, try PowerShell and vice versa.

Idea 2:

  • Create a bat file that contains cmd.
  • Run the bat file via Windows Explorer.

Allowed Applications

Are any of the following applications enabled and accessible?

Command Prompt:

  • C:\Windows\system32\cmd.exe


  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Internet Explorer:

  • C:\Program Files\Internet Explorer\iexplore.exe

File Transfer Protocol (FTP):

  • C:\Windows\system32\ftp.exe

Remote Desktop Connection (RDP):

  • C:\Windows\system32\mstsc.exe


  • Desktop Environment - C:\Windows\explorer.exe
  • File Explorer - C:\Windows\system32\explorer.exe


  • C:\Windows\system32\services.msc


  • C:\Windows\system32\notepad.exe

Control Panel:

  • C:\Windows\system32\control.exe


  • C:\Windows\system32\Narrator.exe


  • C:\Windows\system32\Magnify.exe

Checks to Perform After Breaking Out

  • Has internet access been restricted?
  • Is outbound DNS enabled?
  • If RDP is in use, is Copy-Paste enabled? Can you copy files/payloads to the machine this way?
  • Are there sensitive files stored on the machine (Documents, Downloads, Pictures, Videos, User Directory, Other Drives, Network Shares, etc).
  • What privilege is the underlying session running as?
  • Is the Operating System in use old and/or missing updates?
  • Can the host communicate with other computers or shares in the network?
  • Is privilege escalation possible?
  • If privilege level allows for it, can the LSASS process be dumped?
This post is licensed under CC BY 4.0 by the author.