Windows Privilege Escalation Unquoted Service – Part 1

In Part 1 of this three-part series, I'll show you how to upgrade Windows privileges by attacking unreferenced services. I will tell you how to locate unquoted services to attack.

Blog posts:
Download the source code:

Registry location: HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet services

Wmic service gets name, pathname, startmode | findstr / i / v "C: Windows \" | findstr / i / v "" "

πŸ“Œ Support channelπŸ“Œ
βœ”οΈ 50% discount πŸ‘πŸ—¨ TorGuard VPN …

8 Replies to “Windows Privilege Escalation Unquoted Service – Part 1”

  1. Another tip for those times you are doing a build review or end up with limited access to say an RDP/Citrix session and cmd/powershell and wmic are disabled.

    Create shortcut: msinfo32

    Open it.

    Software environment
    Sort services based on imagepath.

    Scroll down to where the quotes disappear and laying between the standard Windows services (almost always unquoted but not vulnerable) and the quoted paths above are your services of interest. πŸ˜€

    The user they run as are conveniently listed on the right too.

    Edit: msinfo32.exe is almost never disabled on a locked down environment and also provides other interesting and possibly useful info such as the environment variables too πŸ™‚

Leave a Reply

Your email address will not be published. Required fields are marked *