Privilege escalation typically occurs not because of a bug in NSSM, but because of misconfigurations in the services it creates. In many cases, these misconfigurations allow a low-privileged user to gain SYSTEM or Administrator access. 1. Unquoted Service Paths
Using accesschk.exe from Sysinternals or PowerShell, the attacker checks if they have SERVICE_CHANGE_CONFIG or WRITE_DAC rights: nssm-2.24 privilege escalation
Writable service binary or helper
: If the registry keys governing the NSSM service (e.g., ImagePath ) are writable by unprivileged users, they can modify the service configuration to execute arbitrary payloads. Known Affected Products (Examples) Privilege escalation typically occurs not because of a
The attacker stops and restarts the service (if they have SERVICE_START and SERVICE_STOP rights) or waits for a system reboot: Unquoted Service Paths Using accesschk
: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.