Privilege Escalation · intermediate · ~12 min

Windows privesc: service misconfigurations

Identify the service-based Windows escalations and their fixes.

Overview

Services run as SYSTEM, so three misconfigs escalate: unquoted service paths (drop a binary in an earlier path segment), weak service permissions (sc config to repoint binPath), and writable service binaries/DLLs (replace or DLL-hijack). Fixes: quote paths, correct service DACLs, correct file ACLs.

Why it matters

Service misconfigurations are the most common Windows local privesc, all yielding SYSTEM with no exploit. Recognising the three patterns and their accesschk/sc qc enumeration is core Windows post-exploitation.

Core concepts

Unquoted path. Spaces + no quotes → earlier-path binary runs as SYSTEM. Weak perms. SERVICE_CHANGE_CONFIG → sc config binPath. Writable binary/DLL. Replace exe or DLL-hijack. Enumerate. sc qc, accesschk. Fix. Quote paths, service DACLs, file ACLs.

Lesson

Windows services usually run as SYSTEM, so controlling what a service executes means SYSTEM. Three classic service misconfigurations:

1. Unquoted service path

A service binary path with spaces and no quotes:

C:\Program Files\My App\service.exe

Windows tries C:\Program.exe, then C:\Program Files\My.exe, etc. If you can write to an earlier location (e.g. C:\), your binary runs as SYSTEM. Fix: quote the path.

2. Weak service permissions

If your user has SERVICE_CHANGE_CONFIG on a service, you can repoint its binary:

sc config vulnsvc binPath= "C:\Users\you\evil.exe"

then restart it → SYSTEM. Audited with accesschk. Fix: correct service DACLs.

3. Writable service binary / DLL

If the service's .exe or a DLL it loads is writable by your user (an NTFS ACL problem), replace it. DLL hijacking also applies when a service loads a DLL from a writable directory in its search order. Fix: correct file ACLs; have services load DLLs from absolute, protected paths.

Enumeration

sc qc <svc>, accesschk.exe -uwcqv <user> *, and WinPEAS surface these. Each turns into SYSTEM via the service restarting.

Summary

Windows services run as SYSTEM, so unquoted paths, weak reconfigure rights, and writable binaries/DLLs each escalate to SYSTEM. Defend by quoting paths and tightening service and file permissions.