Windows Fundamentals · beginner · ~10 min
Explain what services are, the accounts they run as, and why their config is a privesc target.
Services are SCM-managed background programs, each with a binary path, start type, and a service account (often SYSTEM). Misconfigured paths/permissions/binaries make services the top Windows local-privesc target.
Most Windows local privilege escalation runs through services: unquoted paths, weak reconfigure rights, or writable binaries let a normal user run code as SYSTEM. Service enumeration (sc qc, accesschk) is a standard early step.
SCM. Manages services (Windows' daemons). Service account. LocalSystem/LocalService/NetworkService/user — SYSTEM is the prize. Misconfig classes. Unquoted path, weak permissions, writable binary. Enumeration. sc query/qc, services.msc.
A Windows service is a background program managed by the Service Control Manager (SCM) — the Windows equivalent of a Linux daemon/systemd unit.
Each service has: a binary path (the executable + arguments), a start type (automatic/manual/disabled), and a service account it runs as.
Services run as LocalSystem (= SYSTEM, all-powerful), LocalService/NetworkService (limited), or a specific user. A service running as SYSTEM is the prize: control its code and you are SYSTEM.
Common misconfigurations (detailed in the privesc track):
sc config), then restart it.sc query / sc qc <name> show service config; services.msc is the GUI. Enumerating services, their accounts, and their binary ACLs is core Windows enumeration.
Windows services run background code under an account that's frequently SYSTEM; their path, permissions, and binary ACLs are the most common local-escalation routes, so enumerating them is essential.