Unquoted Service Paths

When a service path that contains spaces is created without surrounding quotes then an attacker can hijack normal execution and/or prevent the service from starting.

For example if the service path is:
C:\Program Files (x86)\Legitimate program.exe

Windows will first search for anything at C:\Program then C:\Program Files followed by C:\Program Files (x86)\Legitimate and finally the full C:\Program Files (x86)\Legitimate program.exe path. If it finds an executable with an appropriate path/name at any point in that search it will be launched instead of the intended "Legitimate program.exe". So in this case, the attacker has three opportunities to hijack the service by dropping their malicious executable at:
C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Legitimate.exe


The following search is from Daniel Compton's post on unquoted service paths. I recommend checking out his post if you haven't looked at unquoted service paths before, it's a bit more detailed.
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Running it from the command line will return a list of all services that may be vulnerable and are set to auto start.

Unquoted service path vulnerabilities are considered lower risk since "Program.exe" will get flagged by Windows and any decent anti-virus program but if an attacker can find unquoted sub directories they can write to (legitimate.exe from above) then it can be valuable for persistence or escalation.