Weak Registry Permission

The Windows Registry is a system-defined hierarchical database in which applications and system components store and retrieve configuration data. It contains data critical to the operation of Windows and all services running on it.

Registry Editor allows you to:
→ Locate a subtree, key, subkey, or value
→ Add or delete a subkey or value
→ Change or rename a subkey or value

Data is structured in a tree format. Each node is called a key. Each key can contain both subkeys and data entries called values.

A hive is a logical group of keys, subkeys, and values that has a set of supporting files loaded into memory when the OS starts or a user logs in. Each new user login creates a new hive under HKEY_USERS. Supporting files are stored in %SystemRoot%\System32\Config.

By hijacking Registry entries used by services, attackers can run malicious payloads. Attackers exploit weaknesses in registry permissions to divert the service's ImagePath from the legitimate executable to one they control — executing their payload with the service's privilege level (often NT AUTHORITY\SYSTEM) upon service start or restart.

Run CMD as Administrator and execute the command below to create a service named Pentest pointing to a binary in C:\temp.

Download SubinACL (a Microsoft command-line tool for managing security permissions on files, folders, registry keys, services, etc.). Then grant PTO permissions (pause/continue, start, stop) to the target user against the Pentest service — making its registry key modifiable by a low-privilege user.

Windows stores local service configuration in the Registry under HKLM\SYSTEM\CurrentControlSet\Services.

Navigate to HKLM\SYSTEM\CurrentControlSet\Services\pentest → Right-click → Permissions → Select Authenticated Users → Enable Full Control → Apply & OK.

This grants any authenticated user on the machine the ability to modify the service's registry key — including its ImagePath.

After gaining an initial foothold, set up a listener on the attacker machine, then use accesschk.exe to query service registry key permissions for authenticated users. A result of KEY_ALL_ACCESS on a service registry key confirms the vulnerability.

Look for entries showing RW or KEY_ALL_ACCESS — this confirms the authenticated user has full write access to that service's registry key. The Pentest service will appear with this access level.

Use PowerShell to check the Access Control List (ACL) on the service registry key. Confirm the current user has Full Control.

The output should show: NT AUTHORITY\Authenticated Users Allow FullControl — confirming the vulnerability. Note the current ImagePath value (e.g. C:\temp\service.exe).

WinPEAS is an automated post-exploitation enumeration script. It detects weak service registry permissions automatically and highlights them in the output. Look for entries under the "Check if you can modify any service registry" section:

HKLM\system\currentcontrolset\services\pentest (Authenticated Users [FullControl])

On the attacker machine, use msfvenom to generate a reverse shell payload, then serve it via a Python HTTP server so the victim machine can download it.

On the victim machine, download the shell, then modify the service's ImagePath registry value to point to the malicious executable. When the service starts, it will execute the payload instead of the legitimate binary.

On the attacker machine, start a listener on port 8888. As soon as the service starts, the reverse connection comes in and whoami confirms NT AUTHORITY\SYSTEM.