Knowing username and password → RunasCs.exe
Misconfigured Services
WSUS Spoofing
SeBackupPrivilege

Missing patches

Automated deployment and AutoLogonpasswords in clear text

AlwaysInstallElevated (Any user can run MSI as SYSTEM)

Misconfigured Services

Unquoted Service Path

An unquoted service path is where the path to the service binary is not wrapped in quotes. Why is that a problem? By itself it's not, but under specific conditions it can lead to an elevation of privilege.

condition #1 for exploitation

Untitled

This service does not contain any space therefore it has not been enclosed in double quotes
This service has spaces within the Binary Path but it has been enclosed in double quotes (well done 👍🏻)
This service contains spaces and has NOT been enclosed in double quotes (VULNERABLE)