Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
How to fix unquoted service paths

In episode #341 of the 7 Minute Security podcast I talked about how to identify - and remediate - the unquoted service path vulnerabilities you might see pop up on a vulnerability scan. Here's the breakdown of resources that will help you understand and fix this pesky vuln:

  • Here's a great article describing unquoted service paths and why they're a risk to your enterprise.

  • If you want to create a fake service with unquoted service paths so you can then test fixing it, check out this gist which has you run something like the following:

New-Service -Name 'TotesFakeService' -BinaryPathName 'C:\program files\system32\something.exe' -DisplayName 'Totes Fake Dude' -StartupType Manual
  • Download this script and import it into your machine, then run Fix-ServicePath to seek out and destroy (er, fix) any unquoted service paths on your machine.

  • To really bury the hatchet, reboot your machine and ensure all service start up cleanly, and you could even rescan it with Nessus/Qualys/etc. to make sure unquoted service path (Nessus plugin ID 63155) doesn't show up anymore. Or, for a quicker command line check, run this:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

The results should be "empty" if all service paths are properly quoted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment