Nssm224 Privilege Escalation Updated 🏆

If an attacker can modify the ImagePath or Application parameter of an existing NSSM-managed service (or create a new one), they can execute arbitrary commands as SYSTEM or LOCAL SERVICE (depending on the service’s configured account).

Despite being over a decade old, nssm224 remains viable because:

Real-world breach reports (e.g., from Red Canary & Mandiant 2024) show that attackers still use NSSM-based persistence to elevate from IIS APPPOOL or LOCAL SERVICE to SYSTEM. nssm224 privilege escalation updated

The updated privilege escalation technique focuses on the GUI component (nssm edit <servicename>). While the GUI requires administrative privileges to install a service, an updated finding reveals a race condition in v2.24:

Scenario: A high-privilege user installs a legitimate service (e.g., AppWatcher) using NSSM. The low-privilege user cannot modify the service binary path directly (needs admin rights). However, NSSM 2.24 stores its configuration in the registry under HKLM\SYSTEM\CurrentControlSet\Services\AppWatcher\Parameters. If an attacker can modify the ImagePath or

Even with quoted paths, NSSM 2.18 through 2.24 sometimes inherit weak ACLs (Access Control Lists) on the registry key: HKLM\SYSTEM\CurrentControlSet\Services\MyService

If a standard user can modify the ImagePath value, they can point the service to their own executable. Real-world breach reports (e

The infamous nssm224 privilege escalation issue is not a bug in NSSM’s code per se. Instead, it stems from misconfigurations combined with NSSM’s default behavior.

If you are an authorized penetration tester:

Example silent install (red team):

nssm install UpdaterService "%temp%\update.exe" --silent
nssm set UpdaterService AppParameters "/c whoami > C:\ProgramData\out.txt"
nssm start UpdaterService

Date: April 12, 2026 Category: Cybersecurity / Windows Privilege Escalation Tool: NSSM (Non-Sucking Service Manager) v2.24