: If the registry keys governing the NSSM service (e.g., ImagePath ) are writable by unprivileged users, they can modify the service configuration to execute arbitrary payloads. Known Affected Products (Examples)
: NSSM is registered as a service with a path like C:\Program Files\My App\nssm.exe but without quotation marks.
Fix existing services by updating their binPath using: sc config "ServiceName" binPath= "\"C:\Path With Spaces\nssm.exe\" install_args" 5. Summary
If the Access Control Lists (ACLs) on these folders are misconfigured, low-privileged users (like members of the Authenticated Users or Users group) may possess write or modify permissions. nssm-2.24 privilege escalation
If you are in charge of systems that use nssm, it is highly recommended to check for version 2.24 and upgrade to the latest 2.25 pre-release nssm.cc/download immediately. Proactive Security Measures If you'd like, I can:
Furthermore, specific to NSSM 2.24, the tool allows the modification of the AppParameters or Application registry keys (located at HKLM\SYSTEM\CurrentControlSet\Services\ServiceName\Parameters ) without strict integrity checks if the attacker has sufficient privileges to modify the service configuration (often achievable via standard user rights if service permissions are misconfigured).
Do you need a (like PowerShell or Bash) to automate the permission checks? : If the registry keys governing the NSSM service (e
Always ensure that when setting up services with NSSM, the path to nssm.exe and the application it manages are enclosed in quotes, particularly if the path contains spaces.
In the ecosystem of Windows system administration, few tools are as beloved yet as misunderstood as the Non-Sucking Service Manager (NSSM). For years, NSSM has been the go-to solution for developers and sysadmins needing to run executable files (batch scripts, Python apps, or Node.js servers) as Windows services. Its ability to automatically restart crashed processes and its intuitive GUI have made it a staple.
: If the service path to NSSM contains spaces and is not enclosed in quotes, Windows may attempt to execute files at different points in the path. For example, if installed in C:\Program Files (x86)\App Name\nssm.exe , an attacker with write access to C:\ could place a malicious file at C:\Program.exe to gain elevated access. Summary If the Access Control Lists (ACLs) on
sc query state= all | findstr /i "SERVICE_NAME" sc qc MyNSSMService | findstr /i "BINARY_PATH_NAME"
Published: For educational and defensive security purposes. Always obtain permission before testing on any system you do not own.
: If a service path contains spaces (e.g., C:\Program Files\NSSM\nssm.exe ) and is not enclosed in double quotes, Windows will look for executables at every break.