Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path

Genexus Protection Server 9.7.2.10 — 'protsrvservice' Unquoted Service Path (Analysis & Mitigation)

Overview

An unquoted service path is a common Windows configuration mistake that can lead to local privilege escalation. In Genexus Protection Server 9.7.2.10 the Windows service named protsrvservice has been reported with an unquoted ImagePath containing spaces. This article explains the vulnerability class, how to detect and assess risk, and safe remediation strategies for system administrators and defenders.

What is an Unquoted Service Path?

Windows services use an executable path stored in the service configuration (ImagePath). If that path contains spaces and is not enclosed in quotes, the operating system can misinterpret the intended executable name and search for executables at intermediate path fragments. If an attacker can write to one of those intermediate locations, they may place a malicious binary that will be executed with the service privileges (often SYSTEM). This is a local privilege escalation vector when write access to the affected directories is possible.

Why this matters for protsrvservice

The reported configuration for protsrvservice points to a binary under "C:\Program Files (x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe" without enclosing quotes in the service ImagePath. If any directory in the path allows untrusted users to write files, an attacker may be able to exploit that misconfiguration to run code with the service's privileges. Because services often run as LocalSystem, the impact can be high.

Impact and Typical Risk Scenarios

• Local Privilege Escalation: If a non-admin user has write permissions on a directory that is parsed prior to the real executable, they could place a rogue executable that runs as the service account.
• Supply-chain / Multi-step Attack: An attacker with limited access may use this as an escalation foothold to move laterally or persist.
• Severity: Usually High for systems where the service runs as SYSTEM or another privileged account and where directories in the path are writable by low-privilege users.

Safe Detection and Hunting Techniques

Defenders should scan endpoints for unquoted service paths and then check directory ACLs for write permissions. Below are safe, non-exploitative commands and scripts to identify candidates.

Using sc.exe to inspect one service

sc qc protsrvservice

This queries the service configuration. Look at the "BINARY_PATH_NAME" (ImagePath) field to see if the path contains spaces and lacks surrounding quotes. This command is a read-only check and does not change service state.

PowerShell: enumerate services with unquoted paths

Get-CimInstance -ClassName Win32_Service |
  Where-Object { $_.PathName -and $_.PathName -match '\s' -and $_.PathName -notmatch '^"' } |
  Select-Object Name, State, StartName, PathName

This script lists Windows services whose PathName contains spaces and are not enclosed in quotes. It is safe and useful for triage across many systems.

PowerShell: check registry ImagePath entries

Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Services |
  ForEach-Object {
    $img = (Get-ItemProperty $_.PSPath -Name ImagePath -ErrorAction SilentlyContinue).ImagePath
    if ($img -and $img -match '\s' -and $img -notmatch '^"') {
      [PSCustomObject]@{
        Service = $_.PSChildName
        ImagePath = $img
      }
    }
  }

This reads the ImagePath directly from the registry for all services, catching entries that may be missed or formatted unusually by management tools.

Assessing Directory Permissions

Once you identify services with unquoted paths, check NTFS ACLs on each directory component in the path (e.g., C:\Program Files (x86)\, C:\Program Files (x86)\CommonFiles\, etc.) to ensure only trusted principals (SYSTEM, Administrators) can write. Use tools like icacls, Get-Acl, or Sysinternals AccessChk.

icacls "C:\Program Files (x86)\CommonFiles\Artech\GXProt1"

This returns the ACLs for the target folder. Ensure no low-privilege group (Users, Authenticated Users, Everyone) has write/create file permissions.

Remediation Strategies (Safe, Recommended)

• Primary fix: Enclose the service ImagePath in quotes so Windows will correctly interpret the full path to the intended executable.
• Vendor patch: Apply any official Genexus updates that address the issue. Patching is the preferred remediation when available.
• Restrict file system permissions: Ensure only Administrators and SYSTEM can write to any directory components referenced by the service path.
• Principle of least privilege: Where possible, run services under a dedicated low-privilege service account instead of LocalSystem.
• Monitoring: Alert on changes to service ImagePath registry values and on creation of executables in service directories.

How to safely correct an unquoted ImagePath

If vendor patching is not immediately available, administrators can correct the ImagePath to include quotes. The examples below are administrative maintenance actions for defenders; they assume you have an administrative session and understand the impact of restarting services.

Using sc.exe (example)

sc stop protsrvservice
sc config protsrvservice binPath= "\"C:\Program Files (x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe\""
sc start protsrvservice

Explanation: - The first line stops the service prior to editing its configuration. - The second line updates the service's binPath (ImagePath) and encloses the full path in quotes. Note: sc expects a space after the equals sign and the embedded quotes around the path. - The third line restarts the service. Use these commands only in maintenance windows or when you can afford the service restart and when you have administrative authority.

Alternative: Edit registry ImagePath (advanced)

Administrators may also update the ImagePath under HKLM\SYSTEM\CurrentControlSet\Services\protsrvservice\ImagePath to wrap the path in quotes. This should be done carefully, with backups of the registry and service configuration, followed by a service restart. Editing the registry incorrectly can render a service unstartable.

Hardening Checklist

• Scan all endpoints for unquoted service paths and remediate critical/high results promptly.
• Apply vendor updates for Genexus Protection Server when available.
• Restrict ACLs on program directories to Administrators and SYSTEM only.
• Run high-privilege services under minimally privileged service accounts where feasible.
• Enable file integrity monitoring and log alerting for changes to service ImagePath and binary creation in program directories.
• Document and schedule service restarts and maintenance windows for changes that require it.

Example Risk Assessment Table

Factor	Assessment
Service name	protsrvservice (Genexus Protection Server)
Vulnerability type	Unquoted service path (local configuration)
Typical impact	Local privilege escalation (if write access exists to directories in path)
Likelihood	Depends on directory ACLs; low if standard Program Files ACLs are intact, higher if custom permissions exist
Recommended action	Quote ImagePath, tighten ACLs, apply vendor patch

Responsible Remediation Timeline

- Immediate: Detect and confirm presence; check directory ACLs. If a writable directory is found, schedule immediate remediation and apply temporary compensating controls (deny write access, increase monitoring).
- Short term (24–72 hours): Apply the quoted ImagePath fix or vendor patch during a maintenance window.
- Long term: Add this check to configuration baselines and hardening guides to prevent regressions.

Final Notes for Administrators

Unquoted service paths are an easy-to-miss configuration issue with significant potential impact. Scanning for and fixing these is a straightforward hardening task that reduces local privilege escalation risk. For Genexus Protection Server customers, prioritize vendor updates and ensure program directories have correct permissions. Avoid ad-hoc changes without testing in a non-production environment where possible.