We have Process Hacker and other utilities that allows us to launch processes in interactive mode with system security principals as their user for elevated permissions. But, is there a way to log in as TrustedInstaller or other system security principal such as NT AUTHORITY/SYSTEM in a Windows 10 environment, with a full interactive GUI session? Mainly for the sake of doing dumb things in a VM.
Asked
Active
Viewed 1,402 times
2
-
1https://docs.microsoft.com/en-us/sysinternals/downloads/psexec and note the `/s` switch. – user1292580 Jun 14 '21 at 03:19
3 Answers
1
Short answer is no, you cannot login interactively with that account as its managed by the OS and there is no traditional password associated with it.
A good reference which has in depth detail about the system account among other things is the 'Windows Internals' book by Mark Russinovich.
NetServOps
- 911
- 4
- 9
-
`'Windows Internals' book by Mark Russinovich.` .. ten thumbs up for referencing that book and that guy.. that guy is a little 'g' god. There are ways to [trick the system](https://stackoverflow.com/questions/4237225/allow-windows-service-to-interact-with-desktop#4237283) to run things under other accounts as demonstrated by Mr. Russinovich's PsExec -s (as mentioned above) by @user1292580 . There are other tricks too but without writing your own CreateProcess() and ImpersonateLoggedOnUser() call, you aren't going to access them. I would love to be wrong here. :) – Señor CMasMas Jun 14 '21 at 05:02
-
Yes you can 'trick' the system but I'm curious as to why the OP would want to login interactively as SYSTEM in the first place. – NetServOps Jun 14 '21 at 05:15
-
There is least one whole registry tree that one can't look at as admin. They are the security options etc. One could take ownership and give oneself permission but is best to not mess with those keys. As for Trusted Installer it doesn't matter who owns the files as long as you don't remove TI permissions. – user1292580 Jun 14 '21 at 06:40
-
@user1292580 What is the end goal? If you share that, then perhaps we can give you a more thorough answer which may not even require such a bespoke solution. – NetServOps Jun 14 '21 at 06:44
-
I don't have an end goal but some people try to use Reg Files to edit security options (which are most definitely not documented). I was answering your question on why one might want to logon as System. – user1292580 Jun 14 '21 at 06:47
-
The question was more of a thought experiment than anything, like a "what if I did this and broke things". Despite the fact that we can change security settings for individual folders and files to take ownership and access them without actual system principal permissions, it seems a bit tedious to do that for everything, and it doesn't really apply properly to some scenarios, like protected processes. So I just wanted to see what would happen if everything that I did had NT AUTHORITY/SYSTEM permissions. Seems like that's a nope from what I'm seeing. – kouwei32 Jun 15 '21 at 07:30
-
This is kind of the reason why I wanted a full interactive login over just launching processes with NT AUTHORITY permissions. And, to see if the OS would just vomit if I used a special security principal like "This User" as the logged user... – kouwei32 Jun 15 '21 at 07:32
-
@NetServOps ... TOTALLY.. I like your comments.. *sometimes*.. we need to do crap just to see how everything works.. but you nailed it as far as what the poster is asking about. :) I remember this time back in blah blah blah when I was learning process injection.. blah blah blah.. snore.. – Señor CMasMas Jun 15 '21 at 13:56
0
Not sure if this counts but if you're logged in as a regular user, download Power Run(https://www.sordum.org/9416/powerrun-v1-6-run-with-highest-privileges/)
, go to Explorer.exe in the windows folder, right click,open with Power Run, the system will login to the system profile and the background will go black but you're now running with system privileges. I would definitely try this in a vm first because some.prpgrams will act weird because this is not your standard account, it's running our of the systemprofile folder in the system32 directory.
-2
trusted installer is the same powerful as SYSTEM (NOT builtin admin), u can set the AutoLogonSID reg_sz to S-1-5-18 or S-1-5-32 (there are many more in my experiments), and u will be prompted the password, which i believe is the lsasecret of DPAPI_SYSTEM . u have to build the profile thru SAM reg , profilelist, and usermanager as well as physically put a folder with ntuser.dat . clone a profile in profilelist . authentication reg is meaningless . my default is to make the default user on my windows iso's s-1-5-18, which is what is in use during audit mode or safemode, but as u notice, isnt as good as TI. ti's sid is s-1-5-80 and u cannot just put the sid in profilelist reg_sz SID it does not work. try it to your S-1-5-21 profile and change the SID hexadecimal binary to the top profile in the list, administrator, S-1-5-18, which is 01 01 00 00 00 00 00 05 12 00 00 00 in binary, but weirdly, is reference as 01 02 00 00 00 00 00 05 12 00 00 00
-
1As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 09 '22 at 06:02