Patch Windows Unquoted Service Path Vulnerability

What the unquoted service path remediator does

This Automox Worklet™ detects and remediates the Windows unquoted service path vulnerability (CVE-2005-1185) on Windows endpoints. The Worklet enumerates every service registry entry under HKLM:\SYSTEM\CurrentControlSet\Services, reads each ImagePath value, and flags any entry whose path contains a space character but is not wrapped in double quotes. The same scan runs against UninstallString values in the Uninstall registry hive, where the same vulnerability class lurks for installer artifacts.

For each flagged entry, the Worklet rewrites the registry value with the executable path quoted (everything before the .exe extension wrapped in ""), preserving any command-line arguments that follow. Every change is appended to a CSV file at C:\ProgramData\Automox\unquoted-path-audit.csv with the timestamp, service name, original value, and new value, so the security team has a per-change audit trail that pairs to the policy run identifier.

Evaluation walks every ImagePath under HKLM:\SYSTEM\CurrentControlSet\Services and every UninstallString in the Uninstall hive read-only, so endpoints already clean exit 0 immediately. Endpoints where a newly-installed application has registered a service with an unquoted path are flagged on the next evaluation, the path is rewritten with the executable wrapped in double quotes, and the CSV audit log at C:\ProgramData\Automox\unquoted-path-audit.csv records the timestamp and old-versus-new value so the security team has the per-change history when CVE-2005-1185 evidence is requested.

Why fix unquoted service paths at fleet scale

An unquoted service path is one of the oldest local privilege escalation vectors in Windows. When a service ImagePath is C:\Program Files\Some Vendor\Service.exe without quotes, the service control manager tries to launch C:\Program.exe first, then C:\Program Files\Some.exe, before finally finding the real binary. An attacker who can drop an executable into C:\ (a low-privilege location on many endpoints) or C:\Program Files\Some.exe wins SYSTEM the next time the service starts. CVE-2005-1185 documented the pattern; twenty years later, vendors still ship installers that produce the same unquoted entries.

Unquoted service paths under HKLM:\SYSTEM\CurrentControlSet\Services\*\ImagePath are the textbook CWE-428 privilege escalation vector. A service that runs as LocalSystem with an unquoted ImagePath like C:\Program Files\Vendor App\service.exe lets any user who can drop a Program.exe at the root of C:\ inherit SYSTEM. This Worklet enumerates every service ImagePath value, quotes the ones that need it, and remediates a CIS Benchmark 18.x and Microsoft KB816125 finding that often goes back years on a Windows fleet. Pair the recurring policy with an installer-vetting process that catches the next vendor that ships an unquoted ImagePath before it reaches production.

How the unquoted path remediation works

1. Evaluation phase: The Worklet enumerates HKLM:\SYSTEM\CurrentControlSet\Services\* with Get-ChildItem, reads each subkey's ImagePath property, and runs a regex check that flags entries with an unquoted path containing a space. The script also walks the 64-bit and Wow6432Node Uninstall hives and applies the same check to UninstallString. If at least one unquoted entry is found, the endpoint is flagged for remediation.

2. Remediation phase: The remediation script iterates the flagged list and rewrites each value with Set-ItemProperty. The rewrite quotes everything up to and including the .exe extension, leaves any trailing arguments untouched, and preserves the REG_EXPAND_SZ or REG_SZ type of the original value. Each rewrite is appended to the CSV audit log. The script exits 0 if every flagged entry was rewritten cleanly or non-zero with the failing service name in stderr on a write error.

Unquoted path remediation requirements

• Windows 10, Windows 11, or Windows Server 2016 and later with PowerShell 5.1 or PowerShell 7 available

• Local administrator or SYSTEM privileges for the Automox agent (the default agent context satisfies this) to modify HKLM service registry entries

• Write access to C:\ProgramData\Automox so the CSV audit log can be appended on every run

• A SIEM ingestion path for the CSV audit log if your runbook requires the change history to live somewhere more durable than the local endpoint

• Awareness that some legacy services do not handle a quoted ImagePath value when the original was deliberately unquoted to support a non-standard launcher; review the audit log on the first run and exclude any service that breaks

Expected service path state after remediation

After successful remediation, every service ImagePath value with a space in the executable path is wrapped in double quotes, and the same is true of UninstallString values in the Uninstall hive. The CSV audit log at C:\ProgramData\Automox\unquoted-path-audit.csv contains one row per change with the timestamp, service name, original value, and new value. Subsequent evaluations report the endpoint as compliant unless a new install has registered another unquoted entry, at which point the next pass quotes it and appends to the audit log.

Validate by running the Worklet against a single Windows endpoint, then inspecting the audit log and confirming each rewritten ImagePath value resolves correctly with the service control manager. For audit evidence, ship the CSV to a SIEM along with the policy run identifier. If a service fails to start after the rewrite, the cause is almost always that the original ImagePath was deliberately constructed to use a quirky launcher path; restore the value from the audit log's original column and exclude the service from future runs via the policy's service exclusion list.