Or via registry (if direct sc fails):
: Vulnerable because files inherited parent directory permissions, allowing the substitution of nssm.exe .
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. nssm-2.24 privilege escalation
The user has permissions to modify the registry keys associated with the NSSM service. How the Escalation Works
When a Windows service is created, its executable path should be surrounded by quotation marks if it contains spaces. Without quotes, Windows parses the path ambiguously. Or via registry (if direct sc fails): :
A key issue with NSSM 2.24 is its reliance on configuration files (often stored in the registry) and the potential for misconfigured permissions on the service wrapper itself. While NSSM is designed to handle services, it doesn't automatically secure the paths of the applications it launches.
Ensure you are using the latest version of the utility, though the underlying issue is often a configuration error. If you share with third parties, their policies apply
: If the path to nssm.exe contains spaces and is not enclosed in quotes (e.g., C:\Program Files\App\nssm.exe ), Windows may attempt to execute files at every "space" in the path. An attacker can place a file like C:\Program.exe to intercept the service start and gain SYSTEM access.
References and further reading
: The tool should automatically enforce quoted service paths in the Windows registry to prevent "Unquoted Service Path" exploits, where Windows might execute a malicious binary with a similar name in a parent folder.