How do you run CMD exe under the Local System Account

Question

I m currently running Vista and I would like to manually complete the same operations as my Windows Service  Since the Windows Service is running under the Local System Account  I would like to emulate this same behavior  Basically  I would like to run CMD EXE under the Local System Account   I found information online which suggests lauching the CMD exe using the DOS Task Scheduler AT command  but I received a Vista warning that  due to security enhancements  this task will run at the time excepted but not interactively    Here s a sample command   AT 12 00  interactive cmd exe   Another solution suggested creating a secondary Windows Service via the Service Control  sc exe  which merely launches CMD exe     C  sc create RunCMDAsLSA binpath   cmd  type own type interact C  sc start RunCMDAsLSA   In this case the service fails to start and results it the following error message   FAILED 1053  The service did not respond to the start or control request in a timely fashion    The third suggestion was to launch CMD exe via a Scheduled Task  Though you may run scheduled tasks under various accounts  I don t believe the Local System Account is one of them   I ve tried using the Runas as well  but think I m running into the same restriction as found when running a scheduled task   Thus far  each of my attempts have ended in failure  Any suggestions

User · Answer

Using Secure Desktop to run cmd exe as system  We can get kernel access through CMD in Windows XP Vista 7 8 1 easily by attaching a debugger    REG ADD  HKLM SOFTWARE Microsoft Windows NT CurrentVersion Image File Execution Options osk exe   v Debugger  t REG SZ  d  C  windows system32 cmd exe     Run CMD as Administrator Then use this command in Elevated    CMD REG ADD  HKLM SOFTWARE Microsoft Windows NT CurrentVersion Image File Execution Options osk exe   v Debugger  t REG SZ  d  C  windows system32 cmd exe   Then run osk  onscreenkeyboard   It still does not run with system Integrity level if you check through process explorer  but if you can use OSK in service session  it will run as NT Authority SYSTEM   so I had the idea you have to run it on Secure Desktop   Start any file as Administrator  When UAC prompts appear  just press Win U and start OSK and it will start CMD instead  Then in the elevated prompt  type whoami and you will get NT Authority System  After that  you can start Explorer from the system command shell and use the System profile  but you are somewhat limited what you can do on the network through SYSTEM privileges for security reasons  I will add more explanation later as I discovered it a year ago   A Brief Explanation of how this happens  Running Cmd exe Under Local System Account Without Using PsExec  This method runs Debugger Trap technique that was discovered earlier  well this technique has its own benefits it can be used to trap some crafty malicious worm or malware in the debugger and run some other exe instead to stop the spread or damage temporary  here this registry key traps onscreen keyboard in windows native debugger and runs cmd exe instead but cmd will still run with Logged on users privileges  however if we run cmd in session0 we can get system shell  so we add here another idea we span the cmd on secure desktop remember secure desktop runs in session 0 under system account and we get system shell  So whenever you run anything as elevated  you have to answer the UAC prompt and UAC prompts on dark  non interactive desktop and once you see it you have to press Win U and then select OSK you will get CMD exe running under Local system privileges  There are even more ways to get local system access with CMD

User · Answer

Using task scheduler  schedule a run of CMDKEY running under SYSTEM with the appropriate arguments of  add   user  and  pass   No need to install anything

User · Answer

I would recommend you work out the minimum permission set that your service really needs and use that  rather than the far too privileged Local System context  For example  Local Service   Interactive services no longer work - or at least  no longer show UI - on Windows Vista and Windows Server 2008 due to session 0 isolation

User · Answer

I would recommend you work out the minimum permission set that your service really needs and use that  rather than the far too privileged Local System context  For example  Local Service   Interactive services no longer work - or at least  no longer show UI - on Windows Vista and Windows Server 2008 due to session 0 isolation

User · Answer

I use the RunAsTi utility to run as TrustedInstaller  high privilege   The utility can be used even in recovery mode of Windows  the mode you enter by doing Shift Restart   the psexec utility doesn t work there  But you need to add your C  Windows and C  Windows System32  not X  Windows and X  Windows System32  paths to the PATH environment variable  otherwise RunAsTi won t work in recovery mode  it will just print  AdjustTokenPrivileges for SeImpersonateName  Not all privileges or groups referenced are assigned to the caller

User · Answer

if you can write a batch file that does not need to be interactive  try running that batch file as a service  to do what needs to be done

User · Answer

I would recommend you work out the minimum permission set that your service really needs and use that  rather than the far too privileged Local System context  For example  Local Service   Interactive services no longer work - or at least  no longer show UI - on Windows Vista and Windows Server 2008 due to session 0 isolation

User · Answer

if you can write a batch file that does not need to be interactive  try running that batch file as a service  to do what needs to be done

User · Answer

Though I haven t personally tested  I have good reason to believe that the above stated AT COMMAND solution will work for XP  2000 and Server 2003  Per my and Bryant s testing  we ve identified that the same approach does not work with Vista or Windows Server 2008 -- most probably due to added security and the  interactive switch being deprecated    However  I came across this article which demonstrates the use of PSTools from SysInternals  which was acquired by Microsoft in July  2006   I launched the command line via the following and suddenly I was running under the Local Admin Account like magic   psexec -i -s cmd exe   PSTools works well  It s a lightweight  well-documented set of tools which provides an appropriate solution to my problem   Many thanks to those who offered help

User · Answer

if you can write a batch file that does not need to be interactive  try running that batch file as a service  to do what needs to be done

User · Answer

Though I haven t personally tested  I have good reason to believe that the above stated AT COMMAND solution will work for XP  2000 and Server 2003  Per my and Bryant s testing  we ve identified that the same approach does not work with Vista or Windows Server 2008 -- most probably due to added security and the  interactive switch being deprecated    However  I came across this article which demonstrates the use of PSTools from SysInternals  which was acquired by Microsoft in July  2006   I launched the command line via the following and suddenly I was running under the Local Admin Account like magic   psexec -i -s cmd exe   PSTools works well  It s a lightweight  well-documented set of tools which provides an appropriate solution to my problem   Many thanks to those who offered help

User · Answer

There is another way  There is a program called PowerRun which allows for elevated cmd to be run  Even with TrustedInstaller rights  It allows for both console and GUI commands

User · Answer

Download psexec exe from Sysinternals  Place it in your C   drive  Logon as a standard or admin user and use the following command  cd    This places you in the root directory of your drive  where psexec is located  Use the following command  psexec -i -s cmd exe where -i is for interactive and -s is for system account  When the command completes  a cmd shell will be launched  Type whoami  it will say  system  Open taskmanager  Kill explorer exe  From an elevated command shell type start explorer exe  When explorer is launched notice the name  system  in start menu bar  Now you can delete some files in system32 directory which as admin you can t delete or as admin you would have to try hard to change permissions to delete those files    Users who try to rename or deleate System files in any protected directory of windows should know that all windows files are protected by DACLS while renaming a file you have to change the owner and replace TrustedInstaller which owns the file and make any user like a user who belongs to administrator group as owner of file then try to rename it after changing the permission  it will work and while you are running windows explorer with kernel privilages you are somewhat limited in terms of Network access for security reasons and it is still a research topic for me to get access back

User · Answer

Using Secure Desktop to run cmd exe as system  We can get kernel access through CMD in Windows XP Vista 7 8 1 easily by attaching a debugger    REG ADD  HKLM SOFTWARE Microsoft Windows NT CurrentVersion Image File Execution Options osk exe   v Debugger  t REG SZ  d  C  windows system32 cmd exe     Run CMD as Administrator Then use this command in Elevated    CMD REG ADD  HKLM SOFTWARE Microsoft Windows NT CurrentVersion Image File Execution Options osk exe   v Debugger  t REG SZ  d  C  windows system32 cmd exe   Then run osk  onscreenkeyboard   It still does not run with system Integrity level if you check through process explorer  but if you can use OSK in service session  it will run as NT Authority SYSTEM   so I had the idea you have to run it on Secure Desktop   Start any file as Administrator  When UAC prompts appear  just press Win U and start OSK and it will start CMD instead  Then in the elevated prompt  type whoami and you will get NT Authority System  After that  you can start Explorer from the system command shell and use the System profile  but you are somewhat limited what you can do on the network through SYSTEM privileges for security reasons  I will add more explanation later as I discovered it a year ago   A Brief Explanation of how this happens  Running Cmd exe Under Local System Account Without Using PsExec  This method runs Debugger Trap technique that was discovered earlier  well this technique has its own benefits it can be used to trap some crafty malicious worm or malware in the debugger and run some other exe instead to stop the spread or damage temporary  here this registry key traps onscreen keyboard in windows native debugger and runs cmd exe instead but cmd will still run with Logged on users privileges  however if we run cmd in session0 we can get system shell  so we add here another idea we span the cmd on secure desktop remember secure desktop runs in session 0 under system account and we get system shell  So whenever you run anything as elevated  you have to answer the UAC prompt and UAC prompts on dark  non interactive desktop and once you see it you have to press Win U and then select OSK you will get CMD exe running under Local system privileges  There are even more ways to get local system access with CMD

User · Answer

Found an answer here which seems to solve the problem by adding  k start to the binPath parameter  So that would give you   sc create testsvc binpath   cmd  K start  type  own type  interact  However  Ben said that didn t work for him and when I tried it on Windows Server 2008 it did create the cmd exe process under local system  but it wasn t interactive  I couldn t see the window     I don t think there is an easy way to do what you ask  but I m wondering why you re doing it at all  Are you just trying to see what is happening when you run your service  Seems like you could just use logging to determine what is happening instead of having to run the exe as local system

User · Answer

an alternative to this is Process hacker if you go into run as     Interactive doesnt work for people with the security enhancments but that wont matter  and when box opens put Service into the box type and put SYSTEM into user box and put C  Users Windows system32 cmd exe leave the rest click ok and boch you have got a window with cmd on it and run as system now do the other steps for yourself because im suggesting you know them

User · Answer

I use the RunAsTi utility to run as TrustedInstaller  high privilege   The utility can be used even in recovery mode of Windows  the mode you enter by doing Shift Restart   the psexec utility doesn t work there  But you need to add your C  Windows and C  Windows System32  not X  Windows and X  Windows System32  paths to the PATH environment variable  otherwise RunAsTi won t work in recovery mode  it will just print  AdjustTokenPrivileges for SeImpersonateName  Not all privileges or groups referenced are assigned to the caller

User · Answer

if you can write a batch file that does not need to be interactive  try running that batch file as a service  to do what needs to be done

User · Answer

Though I haven t personally tested  I have good reason to believe that the above stated AT COMMAND solution will work for XP  2000 and Server 2003  Per my and Bryant s testing  we ve identified that the same approach does not work with Vista or Windows Server 2008 -- most probably due to added security and the  interactive switch being deprecated    However  I came across this article which demonstrates the use of PSTools from SysInternals  which was acquired by Microsoft in July  2006   I launched the command line via the following and suddenly I was running under the Local Admin Account like magic   psexec -i -s cmd exe   PSTools works well  It s a lightweight  well-documented set of tools which provides an appropriate solution to my problem   Many thanks to those who offered help

User · Answer

There is another way  There is a program called PowerRun which allows for elevated cmd to be run  Even with TrustedInstaller rights  It allows for both console and GUI commands

User · Answer

Download psexec exe from Sysinternals  Place it in your C   drive  Logon as a standard or admin user and use the following command  cd    This places you in the root directory of your drive  where psexec is located  Use the following command  psexec -i -s cmd exe where -i is for interactive and -s is for system account  When the command completes  a cmd shell will be launched  Type whoami  it will say  system  Open taskmanager  Kill explorer exe  From an elevated command shell type start explorer exe  When explorer is launched notice the name  system  in start menu bar  Now you can delete some files in system32 directory which as admin you can t delete or as admin you would have to try hard to change permissions to delete those files    Users who try to rename or deleate System files in any protected directory of windows should know that all windows files are protected by DACLS while renaming a file you have to change the owner and replace TrustedInstaller which owns the file and make any user like a user who belongs to administrator group as owner of file then try to rename it after changing the permission  it will work and while you are running windows explorer with kernel privilages you are somewhat limited in terms of Network access for security reasons and it is still a research topic for me to get access back

User · Answer

Though I haven t personally tested  I have good reason to believe that the above stated AT COMMAND solution will work for XP  2000 and Server 2003  Per my and Bryant s testing  we ve identified that the same approach does not work with Vista or Windows Server 2008 -- most probably due to added security and the  interactive switch being deprecated    However  I came across this article which demonstrates the use of PSTools from SysInternals  which was acquired by Microsoft in July  2006   I launched the command line via the following and suddenly I was running under the Local Admin Account like magic   psexec -i -s cmd exe   PSTools works well  It s a lightweight  well-documented set of tools which provides an appropriate solution to my problem   Many thanks to those who offered help

User · Answer

I would recommend you work out the minimum permission set that your service really needs and use that  rather than the far too privileged Local System context  For example  Local Service   Interactive services no longer work - or at least  no longer show UI - on Windows Vista and Windows Server 2008 due to session 0 isolation

User · Answer

Comment  I can t comment yet  so posting here    I just tried the above OSK EXE debug trick but regedit instantly closes when I save the filled  quot C  windows system32 cmd exe quot  into the already created Debugger key so Microsoft is actively working to block native ways to do this  It is really weird because other things do not trigger this  Using task scheduler does create a SYSTEM CMD but it is in the system environment and not displayed within a human user profile so this is also now defunct  though it is logical   Currently on Microsoft Windows  Version 10 0 20201 1000  So  at this point it has to be third party software that mediates this and further tricks are being more actively sealed by Microsoft these days

User · Answer

Found an answer here which seems to solve the problem by adding  k start to the binPath parameter  So that would give you   sc create testsvc binpath   cmd  K start  type  own type  interact  However  Ben said that didn t work for him and when I tried it on Windows Server 2008 it did create the cmd exe process under local system  but it wasn t interactive  I couldn t see the window     I don t think there is an easy way to do what you ask  but I m wondering why you re doing it at all  Are you just trying to see what is happening when you run your service  Seems like you could just use logging to determine what is happening instead of having to run the exe as local system

User · Answer

Found an answer here which seems to solve the problem by adding  k start to the binPath parameter  So that would give you   sc create testsvc binpath   cmd  K start  type  own type  interact  However  Ben said that didn t work for him and when I tried it on Windows Server 2008 it did create the cmd exe process under local system  but it wasn t interactive  I couldn t see the window     I don t think there is an easy way to do what you ask  but I m wondering why you re doing it at all  Are you just trying to see what is happening when you run your service  Seems like you could just use logging to determine what is happening instead of having to run the exe as local system

User · Answer

an alternative to this is Process hacker if you go into run as     Interactive doesnt work for people with the security enhancments but that wont matter  and when box opens put Service into the box type and put SYSTEM into user box and put C  Users Windows system32 cmd exe leave the rest click ok and boch you have got a window with cmd on it and run as system now do the other steps for yourself because im suggesting you know them

User · Answer

Using task scheduler  schedule a run of CMDKEY running under SYSTEM with the appropriate arguments of  add   user  and  pass   No need to install anything

User · Answer

Found an answer here which seems to solve the problem by adding  k start to the binPath parameter  So that would give you   sc create testsvc binpath   cmd  K start  type  own type  interact  However  Ben said that didn t work for him and when I tried it on Windows Server 2008 it did create the cmd exe process under local system  but it wasn t interactive  I couldn t see the window     I don t think there is an easy way to do what you ask  but I m wondering why you re doing it at all  Are you just trying to see what is happening when you run your service  Seems like you could just use logging to determine what is happening instead of having to run the exe as local system

User · Answer

Comment  I can t comment yet  so posting here    I just tried the above OSK EXE debug trick but regedit instantly closes when I save the filled  quot C  windows system32 cmd exe quot  into the already created Debugger key so Microsoft is actively working to block native ways to do this  It is really weird because other things do not trigger this  Using task scheduler does create a SYSTEM CMD but it is in the system environment and not displayed within a human user profile so this is also now defunct  though it is logical   Currently on Microsoft Windows  Version 10 0 20201 1000  So  at this point it has to be third party software that mediates this and further tricks are being more actively sealed by Microsoft these days

[windows-services] How do you run CMD.exe under the Local System Account?

Using Secure Desktop to run `cmd.exe` as `system`

A Brief Explanation of how this happens

Examples related to windows-services

Examples related to user-accounts

[windows-services] How do you run CMD.exe under the Local System Account?

Using Secure Desktop to run cmd.exe as system

A Brief Explanation of how this happens

Examples related to windows-services

Examples related to user-accounts

Using Secure Desktop to run `cmd.exe` as `system`