Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Path of enlightenment part 1 current page
Link copied

Path of enlightenment part 1

Oct 20, 2017
Author:
John Goodridge
Blog banner default
Path of enlightenment part 1
John Goodridge

A potential privilege escalation around unquoted service paths has been around for over fifteen years now, but it still continues to catch people out.

The vulnerability takes advantage of the way Windows parses directory paths to execute programs. Let's look at the following command line:-

C:\Program Files\Octave Corp\LicenseMgr.exe /verify

Any spaces in paths can be considered as a delimiter between the application, LicenseMgr.exe and the argument, /verify. But when the path also contains spaces in folder names, like Program Files, then Windows has to try and work out if you want to run:-

C:\Program.exe Files\Octave Corp\LicenseMgr.exe /verify

or maybe?

C:\Program Files\Octave.exe Corp\LicenseMgr.exe /verify

or perhaps?

C:\Program Files\Octave Corp\LicenseMgr.exe /verify

So how does Windows know what you are trying to do? The answer is it doesn't! Windows instead tries to find the first program in the path that matches and executes it.

Fortunately the humble quotation mark (quote) comes to the rescue! By surrounding parts of the path in quotes, it tells Windows to treat anything within pairs of quotes as a single argument. If we add quotes to the previous example:-

"C:\Program Files\Octave Corp\LicenseMgr.exe" /verify

Windows now understands the command line and will execute the desired program.

On Windows, Services are background processes that can run when Windows starts and often run under a highly privileged account, with the all-powerful SYSTEM security right. Each service specifies the path to the program to run and if the path is not quoted then a nefarious actor could gain privilege escalation by inserting a program at an appropriate location on the vulnerable path.

All vendors that install services on a machine should be aware of the vulnerability and so quote the service path. But you can run this little command line just to check that this is the case :-)

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Now as I said, vendors that install services should ensure their services are not vulnerable by quoting the service path and Microsoft even provides a script to fix vulnerable services.

Here are my recommendations to help mitigate privilege escalation of services.

For software vendors:

  • ALWAYS quote paths for services
  • AVOID installing services in folders that users have full access to
  • DO NOT weaken the default security that Windows has put in place.

For businesses:

  • Ensure all users run as a standard user. The benefits of this include:-
    • Malware running as a standard user cannot drop programs in folders like C:\Program Files or the Windows system folder
    • Services cannot be created that use SYSTEM or other privileged accounts
  • Perform a security audit of services on machines to check for vulnerable paths
  • If you have an application allow listing solution, ensure trusted owner and publisher is being employed.
Latest Posts
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
  • How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    May 21, 2026 How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    Blog
    5m
  • Cybersecurity as a Boardroom Priority for Major African TelCos
    May 12, 2026 Cybersecurity as a Boardroom Priority for Major African TelCos
    Blog
    8m
Related
  • Desktop Misadventures
    Oct 20, 2017 Desktop Misadventures
    Blog
    1m
  • BeyondTrust Women in Security Series – A Year in Review (2021)
    Jan 4, 2022 BeyondTrust Women in Security Series – A Year in Review (2021)
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.