To perform some actions in Windows, it’s not enough to have administrator privileges. For example, you cannot replace or delete system files and some registry keys, stop system services or perform some other potentially unsafe actions that could affect the stability of your operating system. In these cases, a system administrator can take ownership of files or other objects, or perform actions on behalf of the system account. In this article you we’ll look on how to run an app or the command prompt as the privileged SYSTEM (LocalSystem) account on Windows 10.
services.msc) and note the services that have Local System in the LogOnAs column. These services are running under the SYSTEM account.
How to Run CMD under Local System Account in Windows (Versions Prior to Vista)?
In Windows XP and Windows Server 2003 (that are no longer supported), there was an interesting trick that allowed you to run a program or the interactive command prompt (cmd.exe) with the system privileges using the Task Scheduler. It was enough to open the command prompt under the admin account and run the following command:
at 10:23 /interactive cmd.exe
where, 10:23 is the current time + one minute (in the 24-hour format)
When the specified time comes, a command prompt will appear running under the local system account. If you have run this command in a terminal (RDP) session on Windows Server 2003/XP, note that the command prompt with the System privileges is displayed in the console session only (you can connect to the computer console via mstsc /console or mstsc /admin).
Windows 10 doesn’t support running the interactive command prompt using the at command. It is recommended to use schtasks.exe instead.
Warning: Due to security enhancements, this task will run at the time expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?' for details).
The request is not supported.
How to Run CMD/Process as SYSTEM on Windows 10 Using PSExec?
In Windows 7 or higher, the interactive command prompt cannot be run under the System account using Task Scheduler. To run commands as NT Authority\ System, you can use the PSExec.exe utility by Sysinternals.
PSExec doesn’t need to be installed. Open the elevated command prompt (“Run as administrator”), go to the folder where PSexec.exe is located and run the following command:
psexec -i -s cmd.exe
-i – allows to start the process/app in the interactive mode (a user can interact with the app on the desktop; if you don’t use this parameter, the process starts in a console session),
–s – means that the process (in this case, the command prompt) must be run as System account.
After running the command, a new command prompt window will appear run under the NT Authority\System account. Make sure it is true, by running this command:
whoami
In the command prompt window that appears, you can run any commands as SYSTEM. Now you can change, rename or delete system files/registry keys that are owned by TrustedInstaller or SYSTEM. All programs or processes you start in this window will run with elevated LocalSystem privileges. For example, you can stop a system service or close a file opened by the system process.
psexec -s \\mun-b21pc12 cmd.exe
If the “Couldn’t install PSEXESVC service” error appears, make sure that:
- The command prompt is run as administrator;
- Another PSEXESVC service instance is not running
There is also a number of third-party tools to run apps as System account (AdvancedRun , RunAsSystem, PowerRun), but I cannot see any point in using them. First of all, they are third-party and you cannot be sure there is no malicious code in them. Secondly, the official PsExec utility by Microsoft does a great job.
3 comments
you do know that psexec isnt from microsoft its from sysinternals right?! lmmfao
Microsoft acquired Sysinternals and its assets on July 18, 2006
Oh man, you failed so hard on that one.