How to Find Unquoted Service Paths with PowerShell?

by

If you manage Windows systems—whether you’re a sysadmin, security analyst, or just someone who wants to keep their environment secure—there’s a surprisingly common vulnerability hiding in plain sight: unquoted service paths.

In this tutorial, I will explain how to find unquoted service paths with PowerShell using different methods.

But let us first understand why it is really matters.

Why Unquoted Service Paths Are Dangerous?

Here’s the problem in a nutshell: when a Windows service is configured with a file path that contains spaces but isn’t wrapped in quotation marks, Windows gets confused about where the executable actually is. An attacker can exploit this confusion to run their own malicious code with elevated privileges—often as SYSTEM, the most powerful account on a Windows machine.

Imagine a service with this path:

C:\Program Files\My Application\service.exe

If this path isn’t quoted, Windows doesn’t know where the executable name begins. It will try to execute files in this order:

  1. C:\Program.exe
  2. C:\Program Files\My.exe
  3. C:\Program Files\My Application\service.exe

If an attacker can write a malicious Program.exe to the C:\ drive, it will run before the legitimate service—and often with SYSTEM privileges. That’s a full compromise waiting to happen.

Check out Why Does Windows PowerShell Keep Popping Up?

Now, let us see how to find and then fix this.

Method 1: The Quick WMI One-Liner

This is my go-to method when I just want a fast scan of a single machine.

Step 1: Open PowerShell as Administrator (right-click PowerShell and select “Run as Administrator”).

Step 2: Run this command:

Get-WmiObject Win32_Service | Where-Object {
    $_.PathName -notmatch '^"' -and 
    $_.PathName -match ' '
} | Select-Object Name, DisplayName, PathName, StartMode

What’s happening here?

  • Get-WmiObject Win32_Service grabs all services on the system
  • The Where-Object filters for services where:
    • The path doesn’t start with a quote (-notmatch '^"')
    • The path contains a space (-match ' ')
  • We display the service name, display name, path, and start mode

Pro Tip: Focus on services with StartMode set to “Auto” or “Manual” that run with high privileges—those are the juiciest targets for attackers.

Check out List Windows Features Using PowerShell

Method 2: The Registry Deep-Dive

WMI is great, but sometimes you want to dig deeper or scan systems where WMI might be restricted. The registry holds all service configurations.

Step 1: Query the registry for service paths:

$services = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Services"

$unquoted = foreach ($service in $services) {
    $imagePath = (Get-ItemProperty -Path $service.PSPath -ErrorAction SilentlyContinue).ImagePath
    
    if ($imagePath -and $imagePath -notmatch '^"' -and $imagePath -match '.exe' -and $imagePath -match ' ') {
        [PSCustomObject]@{
            ServiceName = $service.PSChildName
            ImagePath   = $imagePath
        }
    }
}

$unquoted | Format-Table -AutoSize

What this does differently:

  • It reads directly from the registry (HKLM:\SYSTEM\CurrentControlSet\Services)
  • Filters for paths containing .exe and spaces but no leading quote
  • Gives you raw ImagePath values (sometimes these include parameters that WMI might parse differently)

Common Pitfall: Some service paths include command-line arguments (like C:\My App\service.exe -start). Make sure your detection logic accounts for spaces in the path itself, not just in arguments. This script does that by checking for .exe in the path.

Check out Check for Windows Updates Using PowerShell

Method 3: Using Community-Built Functions

The PowerShell community has built some excellent tools for this. One I really like is the Find-UnquotedServicePath function.

Step 1: Install or download the function. If it’s in the PowerShell Gallery:

Install-Module -Name ARTools -Scope CurrentUser

Step 2: Run the function:

Find-UnquotedServicePath

This function is especially handy because:

  • It’s designed for remote scanning via PowerShell remoting
  • It filters for services set to auto-start by default
  • It’s well-tested and maintained by the community

Pro Tip: If you manage multiple servers, use PowerShell remoting to scan them all at once:

Invoke-Command -ComputerName Server01, Server02, Server03 -ScriptBlock {
    Find-UnquotedServicePath
}

Read Install Windows Updates Using PowerShell

Fix Unquoted Service Paths Issue in PowerShell

Once you’ve found vulnerable services, you need to fix them. Warning: Always test changes in a non-production environment first. Misconfiguring a service can break critical applications.

Manual Fix via Registry

Step 1: Open regedit as Administrator.

Step 2: Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[ServiceName]

Step 3: Find the ImagePath value and wrap the executable path in quotes:

Before:

C:\Program Files\My App\service.exe

After:

"C:\Program Files\My App\service.exe"

Step 4: Restart the service (or reboot if it’s a critical system service).

Automated Fix with PowerShell

GitHub user NetSecJedi created a script that automatically fixes unquoted paths. Use with caution and review the code first:

# Download and review the script first!
# Then run it with appropriate permissions
.\FixUnquotedPaths.ps1

Best Practice: Always create a registry backup or system restore point before mass-editing service configurations. I’ve learned this the hard way!

Check out Install RSAT in Windows 11 Using PowerShell

Important Points

Here are some important points to remember:

  • Don’t quote paths that are already quoted — you’ll end up with double-quotes and a broken service
  • Don’t forget to restart services after fixing them (changes don’t take effect until restart)
  • Don’t assume all spaces mean vulnerability — command-line arguments after the .exe are fine
  • Don’t fix services you don’t understand — some legacy apps have weird requirements; research first

Conclusion

Unquoted service paths are one of those “hidden in plain sight” vulnerabilities that can give an attacker a quick path to SYSTEM-level access. But you can use PowerShell to fix the issue. In this tutorial, I explained in detail how to find unquoted service path in PowerShell using different methods.

You may also like the following tutorials:

100 PowerShell cmdlets download free

100 POWERSHELL CMDLETS E-BOOK

FREE Download an eBook that contains 100 PowerShell cmdlets with complete script and examples.