# Unquoted Service Path ### Overview **Unquoted Service Path** is a Windows local privilege escalation technique that occurs when a service: * Runs with **high privileges** (usually `LocalSystem`) * Has a **binary path containing spaces** * Is **not enclosed in quotes** * And a **low-privileged user can write to one of the parent directories** When the service starts, Windows may execute a **malicious executable placed earlier in the path**, leading to **SYSTEM-level code execution**. ### Why This Works If a service is configured as `C:\Program Files\Vulnerable App\Service.exe`, **Without quotes**, Windows tries: 1. `C:\Program.exe` 2. `C:\Program Files\Vulnerable.exe` 3. `C:\Program Files\Vulnerable App\Service.exe` If an attacker can place a malicious executable at **any earlier step**, it gets executed **as the service account**. ### Prerequisites 1. Unquoted Path With Spaces 2. Service Runs as High Privilege 3. Writable Directory in the Path 4. Ability to Start or Restart the Service {% hint style="info" %} Command to list services outside the windows directory - `wmic service get name,pathname,startmode | findstr /i /v "C:\Windows"` {% endhint %} ### Steps 1. Confirm the Unquoted path: ```bash sc qc ``` 2. Find Writable Directories and check permissions of each path segment. ```bash # Check for "FILE_ALL_ACCESS" accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" # Check for WD/AD permissions(Create files/subdirectories) icacls "C:\Program Files\Unquoted Path Service\" ``` 3. Choose the **earliest writable location** and place the malicious executable(reverse shell) there. \ Eg: `Unquoted.exe` 4. Trigger execution: ```bash sc stop sc start ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/service-exploits/unquoted-service-path.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.