However, recent Windows 11 Insider builds present a new prompt when ChangeServiceConfig is called by a non-system process with a modified binary path. This is not yet backported to Server 2022 or Windows 10.
After reading this article, your next step should be running a simple PowerShell query across your Windows estate: nssm224 privilege escalation updated
This article provides a deep dive into the mechanics of the NSSM-224 privilege escalation, why it remains effective against partially patched systems, and how defenders can detect and mitigate the risk—even as Microsoft continues to refine Windows service security. What Is NSSM? A Quick Refresher The Non-Sucking Service Manager ( nssm.exe ) is a legitimate, open-source utility designed to run any executable as a Windows service. Unlike sc.exe or PowerShell’s New-Service , NSSM handles service failure recovery, environment variables, and graceful shutdowns. It is widely deployed by system administrators to convert batch scripts, Node.js apps, or Python daemons into persistent services. However, recent Windows 11 Insider builds present a
# Check for vulnerable service sc.exe sdshow VulnService # Look for (A;;CCLCSWLOCRRC;;;AU) - Authenticated Users can change config If found, the attacker runs: What Is NSSM