{ "id": "b2c75cc0-7ecd-4838-8589-7712cc0e9b76", "created_at": "2026-04-06T00:16:49.916538Z", "updated_at": "2026-04-12T02:21:05.957058Z", "deleted_at": null, "sha1_hash": "344af2950ec30d6dc57cc1a717f92e90e8ee8968", "title": "Windows Privilege Escalation – Unquoted Services", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43740, "plain_text": "Windows Privilege Escalation – Unquoted Services\r\nBy HackHappy\r\nPublished: 2018-04-24 · Archived: 2026-04-05 18:13:45 UTC\r\nSo, you’ve popped a user shell on a windows box and now you’re looking to escalate those privileges. Great! In\r\nthis article we’ll look at one method of elevating your privileges by exploiting unquoted system services.\r\nA Windows service is a program that runs in the background similar to a *nix daemon. Often they are\r\nautomatically started when Windows loads but they can also be started manually by a user or by other software.\r\nWhen installing a Windows service a registry key is created\r\nat HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices for the service along with several values. One of\r\nthose values is the ImagePath value seen in this image and is used to specify the location of the service\r\nexecutable.\r\nIn this image you can see the file path is not surrounded by quotes and becomes a candidate for escalating our\r\nprivileges. When a Windows service is started the CreateProcess function is used to start the service executable. If\r\nthe ImagePath value is not surrounded by quotes the CreateProcess function must try to interpret the correct path\r\nto the service executable. For example, if the ImagePath value contained c:program filessub dirprogram\r\nname then the function would attempt to execute the following:\r\nc:program.exe filessub dirprogram name\r\nc:program filessub.exe dirprogram name\r\nc:program filessub dirprogram.exe name\r\nc:program filessub dirprogram name.exe\r\nIf any of these directories have weak permissions this allows us to place a malicious executable that Windows will\r\nrun as SYSTEM allowing us to escalate our privileges. Now that we know how to take advantage of unquoted\r\nservices let’s look at how to find them. You could simply look through the registry checking each service but that\r\nwould take some time. An easier method is to query WMI and retrieve all services and then filter the results. This\r\ncan be accomplished by (Read more...)\r\nSource: https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/\r\nhttps://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/" ], "report_names": [ "windows-privilege-escalation-unquoted-services" ], "threat_actors": [], "ts_created_at": 1775434609, "ts_updated_at": 1775960465, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/344af2950ec30d6dc57cc1a717f92e90e8ee8968.pdf", "text": "https://archive.orkl.eu/344af2950ec30d6dc57cc1a717f92e90e8ee8968.txt", "img": "https://archive.orkl.eu/344af2950ec30d6dc57cc1a717f92e90e8ee8968.jpg" } }