none
Replacing a registry data value RRS feed

  • Question

  • Hi,

    Due to a vulnerability assessment highlighting "Unquoted Service Path Enumeration" which is basically a service starting with a path that has spaces example: %ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe it has to be in quotes as it could be vulnerable to attack. The simplest way to address is to change the registry value. I tried to test if it exists using:

    reg query HKLM\SYSTEM\CurrentControlSet\Services\c2wts /v ImagePath /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe"

    but keep getting an invalid syntax error. 

    Ultimately i want to replace:

    %ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe

    with

    "%ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe"

    if it exists.

    My original thoughts were something like:

    if exist reg query HKLM\SYSTEM\CurrentControlSet\Services\c2wts /v ImagePath /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe" GOTO ADD

    :ADD

    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\c2wts /v ImagePath /t REG_EXPAND_SZ /d ""%ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe"" /f

    Your help will be much appreciated




    • Edited by Sean_999 Wednesday, November 1, 2017 1:04 PM
    Wednesday, November 1, 2017 1:00 PM

Answers

  • I did a search for "Unquoted Service Path Enumeration" and wouldn't you know there is a gallery script written in PowerShell that somebody already wrote that says it fixes this:

    Microsoft Windows Unquoted Service Path Enumeration (subtitle: This script fixes vulnerability "Microsoft Windows Unquoted Service Path Enumeration")

    Please be sure to search before asking questions. Someone may have already written working code for you. It will save you time. Make sure to test first.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, November 1, 2017 2:25 PM
    Moderator