Possible vulnerability "Unquoted Service Path Enumeration"

[mb31]

The vulnerability is about unquoted services, that;s not the issue.
But the uninstall string is not quoted and a small security risk.
Better practise is also quoting the uninstall path if necessary.

PS C:\script> .\Windows_Path_Enumerate.ps1 -FixUninstall -FixServices:$False -WhatIf
*********************************************************************
2021-12-29 20:26:05Z : INFO : ComputerName: ********
2021-12-29 20:26:05Z : INFO : Executed x64 Powershell on x64 OS
2021-12-29 20:26:05Z : Old Value : Software : 'Totalcmd64' - C:\Program Files\Totalcmd\tcunin64.exe
2021-12-29 20:26:05Z : Expected : Software : 'Totalcmd64' - "C:\Program Files\Totalcmd\tcunin64.exe"

Script source: https://github.com/VectorBCO/windows-path-enumerate

[ghisler(Author)]

Do you mean the UninstallString value in
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Totalcmd64
?
The only problem I see is when someone plants a file named c:\program, but you need administrator rights to put a file in c:\, so it's not a big problem - if the attacker already has admin rights, he can do what he wants. Or do I miss something?

[mb31]

Yes, it's a very minor one.
You need administrator rights.

Could be an issue when an other user triggers the uninstall and that user has more privileges e.g. in a domain.

[ghisler(Author)]

Another user with admin rights could simply remove the uninstaller or even the Total Commander executable with malware.
There is a hypothetical problem when the user has write rights to the drive root, but not to "Program Files", but that's quite improbable. I will change the installer, though, because it's very easy to change.

[ghisler(Author)]

This has been changed in TC 10.5 beta.