Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )
Use Google to search for kernel exploits
Use searchsploit to search for kernel exploits
Any vulnerable Driver?
Check current user privileges
Check if you have any of these token enable: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
What is inside the Clipboard?
Check current network information
Check hidden local services restricted to the outside
Is any unknown software running?
Is any software with more privileges that it should have running?
Search for exploits for running processes (specially if running of versions)
Can you read some interesting process memory (where passwords could be saved)?
Have write permissions over the binaries executed by the processes?
Have write permissions over the folder of a binary being executed to perform a DLL Hijacking?
What is running on startup of is scheduled? Can you modify the binary?
Can you dump the memory of any process to extract passwords?
Can you write in any folder inside PATH?
Is there any known service binary that tries to load any non-existant DLL?
Can you write in some binaries folder?
Windows Vault credentials that you could use?
Interesting DPAPI credentials?
Credentials inside "known files"? Inside the Recycle Bin? In home?
Inside Browser data (dbs, history, bookmarks....)?
AppCmd.exe exists? Credentials?
SCClient.exe? DLL Side Loading?
Is this enabled?
Is it vulnerable?
Are you able to write files that could grant you more privileges?
There are several ways to bypass the UAC