EoP 0: System info Winlogon.exe : : 0xff : installed software, running processes, bind ports, and OS version might be critical to identify the right EoP vector. SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.
Common exploitation payloads involve: Replacing the affecting binary with a reverse shell or a command that creates a new user and adds it to the Administrator group. If wmic is not available we can use sc. Windows XP SP1 is known to be vulnerable to EoP in upnphost. If wmic and sc is not available, you can use accesschk.
Administrator with an unquoted path and spaces in the path we can hijack the path and use it to elevate privileges. Find all those strings in config files. Find all passwords in all files. These are common files to find them in. LM hash rather than a cleartext password. EoP 5: Services only available from loopback You can find services bind to the loopback interface that are not reachable through the network running.