All Collections
Remediations
Microsoft Windows Unquoted Service Path Enumeration Vulnerability
Microsoft Windows Unquoted Service Path Enumeration Vulnerability
Saagar Shah avatar
Written by Saagar Shah
Updated over a week ago

The Unquoted Service Path Enumeration when detected with a vulnerability scanner will report it as a CVSS 7.8 (v3).

CVSS:

CVSS is a scoring system for vulnerability systems, it's an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

Unquoted Service Path Enumeration Vulnerability Information

Unquoted service path vulnerabilities are rated as a highly critical vulnerabilities in windows.

If you have the vulnerability scan report with you, the report contains the following information about this reported vulnerability:

Vulnerability Name: Microsoft Windows Unquoted Service Path Enumeration

Vulnerability Synopsis: The remote Windows host has at least one service installed that uses an unquoted service path.

Vulnerability Description: The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service. Note that this is a generic test that will flag any application affected by the described vulnerability.

Vulnerability Solution: Ensure that any services that contain a space in the path enclose the path in quotes.

Remediation

There are two stages to fix these vulnerabilities, 1. finding the unquoted path on the affected server and 2. Fixing the unquoted paths.

1: How to find the unquoted service paths

Login to the affected server with administrative privileges > run CMD as Administrator > run the following command:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Once the command is executed successfully, you will be able to see one or more unquoted service paths. The result may look like the below reference screenshot:

Copy all the results to a text or excel file and move to step 2.

2: Fixing unquoted service path vulnerabilities

Search for the unquoted registry entry of the affected service under HKLM\System\CurrentControlSet\Services registry path > Double Click the Image Path key > fix comma like “servicepath” at the beginning and end of the path

Examples:

Unquoted service path: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Quoted service path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

The correct quoted service path image reference:

Did this answer your question?