A Windows service is like a background application that keeps running on your computer for a long time. Each service has a specific location on your computer where its executable file is stored. Sometimes, these service paths can include optional parameters and switches that modify how the service behaves.
To make sure Windows understands the service command line correctly, it uses spaces to separate the executable file path from the parameters and switches. If the path contains spaces, it is enclosed in quotation marks to avoid any confusion. For example, if a service has the path “C:\Program Files\Program\File.exe”, Windows knows to treat the entire path as a single entity.
When executing a service, Windows follows a specific order to locate the correct executable file. It first tries to find “C:\Program.exe”, then “C:\Program Files\Test.exe”, and finally “C:\Program Files\Test 1\Service.exe”. This sequential search ensures that the right file is executed.
By default, Windows takes care of properly quoting the service paths to avoid any issues. This means that most service paths you encounter will already be correctly enclosed in quotation marks.
When new software is installed, it may set up services on your computer using insecure absolute unquoted paths to executable files. This can create a vulnerability that attackers can exploit. They could potentially insert a malicious binary into the file system, which resides within the executable file path of the affected service. By doing so, they could gain elevated privileges on your system.
This security issue arises when the service path does not include proper quotation marks to distinguish the executable file from any additional parameters or switches. Without these quotation marks, Windows may interpret parts of the path as separate entities, potentially leading to the execution of unintended files.
Attackers can take advantage of this vulnerability to manipulate the service and introduce their own malicious code. This could enable them to escalate their privileges and gain unauthorized access to sensitive system resources.
To mitigate this risk, it’s important for software developers and system administrators to ensure that services are properly configured with secure paths. This includes using quotation marks around the executable file path to prevent any misinterpretation by the operating system.
You can use the following PowerShell script to check if any services have paths which are not propery quoted:
$unquoted_found = $false
$services = Get-WmiObject -Query ‘SELECT * FROM Win32_Service’
foreach ($service in $services) {
if ($service.PathName -match ‘^[^”].+\s.+.exe’) {
Write-Host “Service Name: ” + $service.Name
Write-Host “Display Name: ” + $service.DisplayName
Write-Host “Path to Executable: ” + $service.PathName
Write-Host “”
$unquoted_found = $true
}
}
if (!$unquoted_found) {
Write-Host “No unquoted service paths were found!”
}
In my case I have a service for NO-IP DUC v4.1.1, the service name being NoIPDUCService4.
To fix the services which such issues you can use the following PowerShell code:
$regex = ‘^([^\”].+\s.+\.exe)(.*)’
$services = Get-WmiObject -Query ‘SELECT * FROM Win32_Service’
ForEach ($service in $services) {
If ($service.PathName -Match ‘^[^\”].+\s.+\.exe’) {
$ServicePath = $service.PathName -replace $regex,'”$1″$2′
$RegistryLocation = “HKLM:\SYSTEM\CurrentControlSet\Services\” + $service.Name
Try {
Set-ItemProperty -Path $RegistryLocation -Name “ImagePath” -Value $ServicePath
$service.PathName = $ServicePath
} Catch {
Write-Error (“Unable to fix the service: ” + $service.Name)
}
}
}
