Weak service permissions are a Windows misconfiguration where a low-privileged user can modify a service they should not, by changing its binary path (SERVICE_CHANGE_CONFIG), by replacing the service executable (a writable binary), or by controlling its registry key. Because most services run as SYSTEM, the attacker repoints the service at their own command and restarts it to get SYSTEM. It is found by checking service ACLs and binary permissions with tools like accesschk.
What weak service permissions are
A Windows service has both a configuration (including the executable path and the account it runs as) and an executable file on disk. Both are protected by permissions.
The misconfiguration is when a non-admin user has dangerous rights over a service:
- SERVICE_CHANGE_CONFIG / SERVICE_ALL_ACCESS: the user can change the service’s binary path.
- A writable service executable: the user can overwrite the .exe the service runs.
- Write access to the service’s registry key: the user can alter how it starts.
Since services usually run as SYSTEM, any of these lets the user run code as SYSTEM.
The abuse and payload
The attacker enumerates service permissions, then repoints or replaces the service:
- Check permissions:
accesschk.exe -uwcqv <user> *(services the user can modify) orsc qc <svc>. - Reconfigure the binary path if allowed:
sc config <svc> binPath= "cmd /c net localgroup administrators hacker /add"thensc stop <svc> & sc start <svc>. - Replace a writable service executable with a malicious one and restart the service.
The action runs as the service account, usually SYSTEM. Documented techniques shown for defenders.
How to defend
- Restrict service permissions so non-admin users cannot change configuration (no SERVICE_CHANGE_CONFIG for standard users).
- Protect service executables so only admins can write them.
- Lock down service registry keys against non-admin writes.
- Run services with least privilege rather than SYSTEM where possible.
- Audit with accesschk-style tooling and monitor for service-config changes.