Configuration Management / Unquoted Service Path

Description

An unquoted service path vulnerability occurs when a Windows service executable path contains spaces and is not enclosed in quotation marks. When Windows attempts to start such a service, it parses the path ambiguously, checking for executables at each space in the path. For example, a path like C:\Program Files\My App\service.exe causes Windows to sequentially attempt executing C:\Program.exe, then C:\Program Files\My.exe, before reaching the intended executable.

Risk

An attacker with write access to any of the intermediate directories can place a malicious executable at one of the parsed locations. When the vulnerable service restarts, Windows executes the attacker's binary instead of the legitimate service, typically with the elevated privileges of the service account (often SYSTEM). This enables privilege escalation, persistence, and full system compromise.

Solution

Enclose all service executable paths in quotation marks. Audit existing services using tools like PowerShell (Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' }) or dedicated vulnerability scanners. Remediate by modifying the registry path at HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath to wrap the executable path in quotes. Additionally, restrict write permissions on directories within the system PATH and Program Files hierarchy.