We have Process Hacker and other utilities that allows us to launch processes in interactive mode with system security principals as their user for elevated permissions. But, is there a way to log in as TrustedInstaller or other system security principal such as NT AUTHORITY/SYSTEM in a Windows 10 environment, with a full interactive GUI session? Mainly for the sake of doing dumb things in a VM.
3 Answers
Short answer is no, you cannot login interactively with that account as its managed by the OS and there is no traditional password associated with it.
A good reference which has in depth detail about the system account among other things is the 'Windows Internals' book by Mark Russinovich.
-
'Windows Internals' book by Mark Russinovich... ten thumbs up for referencing that book and that guy.. that guy is a little 'g' god. There are ways to trick the system to run things under other accounts as demonstrated by Mr. Russinovich's PsExec -s (as mentioned above) by @user1292580 . There are other tricks too but without writing your own CreateProcess() and ImpersonateLoggedOnUser() call, you aren't going to access them. I would love to be wrong here. :) Commented Jun 14, 2021 at 5:02 -
Yes you can 'trick' the system but I'm curious as to why the OP would want to login interactively as SYSTEM in the first place. Commented Jun 14, 2021 at 5:15
-
There is least one whole registry tree that one can't look at as admin. They are the security options etc. One could take ownership and give oneself permission but is best to not mess with those keys. As for Trusted Installer it doesn't matter who owns the files as long as you don't remove TI permissions. Commented Jun 14, 2021 at 6:40
-
@user1292580 What is the end goal? If you share that, then perhaps we can give you a more thorough answer which may not even require such a bespoke solution. Commented Jun 14, 2021 at 6:44
-
I don't have an end goal but some people try to use Reg Files to edit security options (which are most definitely not documented). I was answering your question on why one might want to logon as System. Commented Jun 14, 2021 at 6:47
Not sure if this counts but if you're logged in as a regular user, download Power Run
, go to Explorer.exe in the windows folder, right click,open with Power Run, the system will login to the system profile and the background will go black but you're now running with system privileges. I would definitely try this in a vm first because some.prpgrams will act weird because this is not your standard account, it's running our of the systemprofile folder in the system32 directory. I am not how to switch the screen back to normal on this mode, maybe someone else can fill me in on that.
trusted installer is the same powerful as SYSTEM (NOT builtin admin), u can set the AutoLogonSID reg_sz to S-1-5-18 or S-1-5-32 (there are many more in my experiments), and u will be prompted the password, which i believe is the lsasecret of DPAPI_SYSTEM . u have to build the profile thru SAM reg , profilelist, and usermanager as well as physically put a folder with ntuser.dat . clone a profile in profilelist . authentication reg is meaningless . my default is to make the default user on my windows iso's s-1-5-18, which is what is in use during audit mode or safemode, but as u notice, isnt as good as TI. ti's sid is s-1-5-80 and u cannot just put the sid in profilelist reg_sz SID it does not work. try it to your S-1-5-21 profile and change the SID hexadecimal binary to the top profile in the list, administrator, S-1-5-18, which is 01 01 00 00 00 00 00 05 12 00 00 00 in binary, but weirdly, is reference as 01 02 00 00 00 00 00 05 12 00 00 00
-
1As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.– Community BotCommented Mar 9, 2022 at 6:02
/sswitch.