Unquoted Service Paths – Windows Privilege Escalation
In simple terms, when a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Manual Checks
Check service without quotes:
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\"|findstr /i /v """# or via PowershellGet-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName
Check File or Directory Permissions:
icacls C:\icacls "C:\Program Files\Some Vuln Service"# or using SysInternals AccessChk.\accesschk64.exe-wvud "C:\"-accepteula.\accesschk64.exe-wvud "C:\Program Files\Some Vuln Service"-accepteula