CVE-2020-36935 Overview
CVE-2020-36935 is an unquoted service path vulnerability affecting KMSpico 17.1.0.0, a widely distributed Windows activation tool. The vulnerability exists in the Service KMSELDI configuration where the binary path C:\Program Files\KMSpico\Service_KMS.exe is not properly quoted. This configuration flaw allows local attackers with limited privileges to potentially execute arbitrary code and escalate privileges on affected systems.
Critical Impact
Local attackers can exploit this unquoted service path to inject malicious executables into the file system, achieving privilege escalation and arbitrary code execution when the vulnerable service starts.
Affected Products
- KMSpico 17.1.0.0
- Service KMSELDI (Windows Service Component)
- Systems with KMSpico installed in default directory paths containing spaces
Discovery Timeline
- 2026-01-25 - CVE CVE-2020-36935 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2020-36935
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element). When a Windows service is configured with a binary path that contains spaces and is not enclosed in quotation marks, Windows interprets the path ambiguously during service startup. The operating system attempts to locate and execute binaries by progressively parsing the path at each space character.
For the path C:\Program Files\KMSpico\Service_KMS.exe, Windows will first attempt to execute C:\Program.exe, then C:\Program Files\KMSpico\Service_KMS.exe. If an attacker can place a malicious executable named Program.exe in the C:\ root directory, that malicious binary will execute instead of the intended service executable.
Since Windows services typically run with elevated SYSTEM privileges, successful exploitation grants the attacker high-level access to the compromised system, enabling complete system compromise including access to sensitive data, lateral movement, and persistence mechanisms.
Root Cause
The root cause stems from improper service configuration during KMSpico installation. The service path was registered in the Windows Service Control Manager without proper quotation marks around the executable path. This is a common oversight in software installers that do not validate or sanitize registry entries for service paths containing spaces.
Attack Vector
The attack requires local access to the target system with write permissions to directories that appear in the truncated path search sequence. An attacker must:
- Identify the unquoted service path in the Windows Service configuration
- Determine which intermediary paths can be written to (e.g., C:\Program.exe)
- Place a malicious executable at the exploitable location
- Wait for the service to restart or trigger a service restart
The vulnerability manifests when Windows parses the unquoted service path during service initialization. When the Service KMSELDI starts, Windows attempts to locate the executable by parsing the path C:\Program Files\KMSpico\Service_KMS.exe at space boundaries. For detailed exploitation techniques, refer to the Exploit-DB #49003 entry and the VulnCheck Advisory.
Detection Methods for CVE-2020-36935
Indicators of Compromise
- Presence of unexpected executables in C:\ root directory such as Program.exe
- Unusual service startup failures or behavior changes in KMSELDI service
- Windows Event Log entries showing execution of binaries from unexpected locations
- Registry modifications to service ImagePath values
Detection Strategies
- Audit Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in root directories and common exploitation paths (C:\Program.exe, C:\Program Files\KMSpico\Service.exe)
- Implement application whitelisting to prevent unauthorized executables from running
- Use endpoint detection solutions to flag privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event Logging for service configuration changes (Event ID 7045)
- Monitor for process creation events from service accounts executing unexpected binaries
- Set up alerts for file system changes in system-critical directories
- Review installed services periodically for unquoted path vulnerabilities
How to Mitigate CVE-2020-36935
Immediate Actions Required
- Audit all systems for KMSpico installations and remove the software if present
- Correct the service path by adding quotation marks around the ImagePath registry value
- Restrict write permissions on root directories and common exploit paths
- Consider removing unauthorized activation tools in favor of legitimate licensing
Patch Information
No official patch is available from the vendor for this vulnerability. KMSpico is an unofficial third-party tool, and users should consider removing the software entirely. The service path can be manually corrected by modifying the Windows Registry to enclose the ImagePath in quotation marks.
For additional technical details, consult the VulnCheck Advisory on KMSPico.
Workarounds
- Manually fix the unquoted service path in the Windows Registry by navigating to HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI and adding quotes around the ImagePath value
- Remove KMSpico and use legitimate Windows activation methods
- Implement strict file system permissions preventing write access to C:\ root directory
- Deploy endpoint protection solutions that detect and block privilege escalation techniques
# Configuration example - Fix unquoted service path via Registry
# Run as Administrator in Command Prompt
# Verify current service path
reg query "HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI" /v ImagePath
# Correct the path by adding quotation marks
reg add "HKLM\SYSTEM\CurrentControlSet\Services\KMSELDI" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\KMSpico\Service_KMS.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
