Windows Privilege Escalation - Unquoted Service Path

Home Blog

Practicing my Windows privilege escalation techniques before the exam, thought I would document it down since I still have access to my Windows Lab machine.

Unquoted Service Path — Explained

In Windows environments when a service is started the system is attempting to find the location of the executable in order to successfully launch the service.

If the executable is enclosed in quote tags “” then the system will know where to find it.

However if the path of where the application binary is located doesn’t contain any quotes then Windows will try to find it and execute it inside every folder of this path until they reach the executable.

This can be abused in order to elevate privileges if the service is running under SYSTEM privileges.

Attack Method

Below command locates the unquoted services on the compromised machine.

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:Windows\" |findstr /i /v """

Click on this link for an Unquoted Service Path Privilege escalation demonstration