> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/executable-files.md).

# Executable Files

## Overview

Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it **(FILE\_ALL\_ACCESS)** then we can replace it with a malicious executable and get it to do what we want as **system**.

## Escalation via Service Executables

Run PowerUp and check for **ModifileableFileIdentityReference** within **Service executables.**

<figure><img src="/files/ARCO1WFcIGdfrSHgHwBu" alt=""><figcaption></figcaption></figure>

Manually check the permissions on the service using accesschk64

```
accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
```

Compile, upload the malicious exe, replacing the old executable and start the service

```
svc start filepermsvc
```
