An unquoted service path is a Windows misconfiguration where a service’s executable path contains spaces but is not wrapped in quotes. Windows then tries to run several interpretations of the path in order (treating each space as a possible break), and if an attacker can write an executable at one of those earlier locations, the service runs their program instead, usually as SYSTEM. It is a long-standing, easy-to-find escalation that depends on a writable directory along the path.
What an unquoted service path is
A Windows service has an image path to its executable. If that path has spaces and is not quoted, for example C:\Program Files\My App\service.exe, Windows resolves it ambiguously: it tries C:\Program.exe, then C:\Program Files\My.exe, then the real one, in that order.
Normally the earlier candidates do not exist, so the real binary runs. The vulnerability appears when an attacker can create one of those earlier executables in a writable directory along the path.
The abuse and payload
The attacker finds an unquoted path with a writable segment, plants an executable, and restarts the service:
- Find unquoted paths:
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """ - Check a writable directory along the path (for example
C:\Program Files\My App\orC:\). - Place a malicious executable named to match the early break, for example
C:\Program Files\My.exe. - Restart the service (or wait for a reboot):
sc stop <svc> & sc start <svc>. Windows runs the planted binary as the service account, often SYSTEM.
Documented technique shown for defenders.
How to defend
- Quote every service image path that contains spaces (the simplest fix).
- Audit services for unquoted paths with the wmic query above and correct them.
- Remove write access from directories along service paths, especially
C:\andC:\Program Filessubfolders. - Run services with least privilege so a hijack yields less.
- Monitor for new executables appearing in program directories.