[Question] - Using the local System Account

[ChunkDog]

Well, I tried to search the forum about this, but came up dry.

I would like to be able to run programs on an nt system using the local "System" account. I have tried out psexec from sysinternals, but it does not seem to work for my needs. I mainly would like to run Windows Explorer using the system account, and a few other thiongs as well. Any help or ideas would be great. Thanks in advance.

Title Edited - Please follow new posting rules from now on.

--Zxian

[cluberti]

It can be done, but why would you want to?

[_tru_]

I think i know what your talking about, when you turn the logon screen saver into a command prompt, and log out and wait for the screen saver you will then get a dos, then open the task manager, (taskmgr.exe) then open the explorer.exe from the taskmanager

[purg99]

Intresting question that is normally asked around exploiting

If im wrong and you get no luck I know of an exploit that uses a built in account for one off programs but isnt usable.

A better way uses the flawed AT command. It runs as a service so anything run from it runs as "NT_AUTHORITY/System" unless you us /u

at 00:25 /interactive c:\windows\system32\cmd.exe

--------------------------

read above for the first howto

must have been typing, anyway both end up using "NT_AUTHORITY/System"

--------------------------

Edited December 24, 2005 by purg99

[ChunkDog]

Thank you far all the replies, good stuff.

I have finally found a correct way to do it. PSEXEC is needed, and some knowledge about windows. Basically the problem I was having before when using PSEXEC was that when you load windows explorer, it inherits permissions from the original copy loaded when logging into the system. For example, If I log into the system as "user", the first copy of explorer is loaded with "user" account's privileges, so when running explorer again to view Windows Explorer, it has to inherit the permissions from the originally loaded explorer.exe, wich in this scenario is "user".

The workaround is to logon normaly, then end the task "explorer.exe", then load a command prompt for the PSEXEC command. Now we cxan load explorer.exe with local system rights with the command:

psexec -s -i -d c:\windows\explorer.exe

This will reload explorer with system rights. Give it a try!

Edited January 4, 2006 by ChunkDog

[jftuga]

This is interesting. The only way I ever knew how to do this was similar to the at command. I used the same comcept -- creating a Scheduled Task that used the System Account.

-John

[ChunkDog]

I thought I'd bump this because I want more people to see it. Sorry if this against the rules