How to remediate – Windows Services Registry ACL

Contents

1. Introduction

The Windows Services Registry ACL vulnerability concerns incorrect permissions settings on the Windows Registry keys used by services. This can allow a local attacker to gain elevated privileges or modify service behaviour. Systems running Microsoft Windows are usually affected, particularly those with custom-configured services or where default registry permissions have been altered. A successful exploit could compromise confidentiality, integrity and availability of the system.

2. Technical Explanation

The vulnerability arises from overly permissive Access Control Lists (ACLs) on Windows Registry keys associated with running services. An attacker gaining local access can modify these ACLs to gain control over service startup parameters or data files. There is no known CVE currently assigned for this specific issue, but similar vulnerabilities are tracked under CWE-276: Insufficient Permissions Check. For example, an attacker could alter the image path of a service to execute malicious code when the service starts. Affected versions include all Windows operating systems where services use Registry keys with incorrect permissions.

Root cause: Incorrectly configured ACLs on service registry keys allowing modification by standard users.
Exploit mechanism: An attacker modifies the registry key to point a service to a malicious executable or alter its configuration. This is typically done using tools like regedit or PowerShell.
Scope: All versions of Microsoft Windows operating systems where services use Registry keys with incorrect permissions.

3. Detection and Assessment

Confirming vulnerability requires checking the ACLs on relevant service registry keys. A quick check involves reviewing common service keys for unexpected user or group permissions. Thorough assessment involves scripting a scan of all service keys.

Quick checks: Use regedit to navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices and examine the permissions on individual service subkeys.
Scanning: Nessus plugin ID 16423 can identify overly permissive registry ACLs, but results should be verified manually.
Logs and evidence: Security event logs may show attempts to modify Registry keys under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices (Event ID 4657).

powershell Get-Acl "HKLM:SYSTEMCurrentControlSetServices" | Select-Object Access, Owner, Group, Path

4. Solution / Remediation Steps

Fixing this issue involves correcting the ACLs on service registry keys to restrict access to authorized users and groups. This should be done carefully to avoid disrupting legitimate service operation.

4.1 Preparation

Dependencies: No specific dependencies, but understand the impact of modifying service configurations. Roll back by restoring the registry backup or using the system restore point.
Change window: A standard change window is recommended for production systems and requires approval from the IT security team.

4.2 Implementation

Step 1: Identify the affected service keys in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.
Step 2: Use regedit or PowerShell to remove unnecessary permissions from each key. Ensure only SYSTEM and trusted administrators have full control.
Step 3: Verify that the modified ACLs prevent unauthorized access.

4.3 Config or Code Example

Before

//Example showing Users group having Modify permissions
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices]
"Security"=hex(28)00,00,10,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,14,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,20,00,00,00,00,00,00,00,10,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,18,00,00,00,00,00,00,00,24,00,00,00,00,00,00,00,1c,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,38,00,00,00,00,00,00,00,10,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,3c,00,00,00,00,00,00,00,10,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,48,00,00,00,00,00,00,00

After

//Example showing only SYSTEM and Administrators having full control
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices]
"Security"=hex(28)00,00,10,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,14,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,20,00,00,00,00,00,00,00

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

Practice 1: Least privilege – restrict access to registry keys only to the accounts that require it. This limits the impact of an exploit if an account is compromised.
Practice 2: Secure defaults – ensure new services are created with secure default registry permissions, preventing overly permissive settings.

4.5 Automation (Optional)

# PowerShell script to set standard ACLs on service keys (example only - test thoroughly)
 foreach ($service in Get-Service) {
 $keyPath = "HKLM:SYSTEMCurrentControlSetServices$($service.Name)"
 $acl = Get-Acl $keyPath
 # Remove all existing permissions except SYSTEM and Administrators
 $acl.Access | Where-Object {$_.IdentityRef -notlike "*S

Updated on October 26, 2025

`Was this article helpful?`

Yes No

 Related Articles
 How to remediate – 4553 Parasite Mothership Backdoor Detection
 How to remediate – 602LAN SUITE Open Telnet Proxy
 How to remediate – 7-Technologies / Schneider-Electric IGSS Data Collector Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS ODBC Service Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS ODBC Version Identifi…