Skip to main content

Overview

The Modifiable Service Registry Keys check identifies Windows services where the registry key under HKLM:\SYSTEM\CurrentControlSet\Services\ has weak permissions. If a user can modify a service’s registry key, they can change service configuration including the executable path, achieving privilege escalation.

How It Works

SharpUp enumerates all services and checks registry permissions:
  1. Get list of all services
  2. For each service, check HKLM:\SYSTEM\CurrentControlSet\Services\[ServiceName]
  3. Evaluate if current user has write permissions to the key
  4. Report vulnerable services with their state and startup mode

Example Output

=== Services with Modifiable Registry Keys ===
    Service 'VulnSvc' (State: Running, StartMode: Automatic) : SYSTEM\CurrentControlSet\Services\VulnSvc

Exploitation

# Modify service ImagePath to run malicious executable
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\VulnSvc" `
    -Name "ImagePath" `
    -Value "C:\temp\malicious.exe"

# Restart service
Restart-Service -Name VulnSvc

Remediation

1

Fix Registry Permissions

$serviceName = "VulnSvc"
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"

$acl = Get-Acl $keyPath
$acl.Access | Where-Object {
    $_.IdentityReference -notmatch "SYSTEM|Administrators|TrustedInstaller" -and
    $_.RegistryRights -match "WriteKey|SetValue|CreateSubKey"
} | ForEach-Object { $acl.RemoveAccessRule($_) }

Set-Acl $keyPath $acl

Modifiable Services

Services with weak DACL permissions

Modifiable Service Binaries

Service executables with weak permissions