How do I run a program as nt authority/system without using 3rd party app (such as psexec)?
I have tried runas "/user:system@nt authority" <app> and runas "/user:nt authority\system" <app> but they all say unable to acquire user password.
(At least if there is no way using runas is there a way without using 3rd party apps?)
One way is a temporary scheduled task that runs as NT AUTHORITY\SYSTEM. You can do this by pasting the below into PowerShell.
Explanation: The script prompts you for a command and its arguments. If there are no arguments, press Enter to leave them empty. The script then creates a temporary scheduled task named RunAs_LocalSystem_$(New-Guid), which is set to run as NT AUTHORITY\SYSTEM. Finally, the script runs the scheduled task, then deletes it.
param( `
[Parameter(Mandatory)][string]$Command, `
[Parameter(Mandatory)][AllowEmptyString()][string]$Arguments `
) `
Import-Module ScheduledTasks; `
$name = "RunAs_LocalSystem_$(New-Guid)"; `
$actionArguments = @{ '-Execute' = $Command; }; `
if (-not [string]::IsNullOrEmpty($Arguments)) { $actionArguments['-Argument'] = $Arguments } `
$action = New-ScheduledTaskAction @actionArguments; `
$principal = New-ScheduledTaskPrincipal -UserId 'NT AUTHORITY\SYSTEM' -LogonType Interactive; `
Register-ScheduledTask -TaskName $name -Action $action -Principal $principal | Start-ScheduledTask; `
Unregister-ScheduledTask $name -Confirm:$false
You can't using runas probably because of the below:
"The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password."
PSExec basically uploads and starts a Windows service PSEXECSVC through SMB. It's possible for a Windows service installed with admin privileges (provided by PSExec command line) to run as the LocalSystem account (that's specifiable in services.msc, for example). When you are "remoted in" to a system via PSExec you are actually talking to the running PSEXECSVC temporarily installed on the other end over the SMB protocol. I'm not sure on further finer details but this is likely how PSExec is able to do things as the LocalSystem account.
So you might be able to run it as LocalSystem by wrapping the executable in a service wrapper such as srvany.exe from the Windows 2000 Resource Kit (if it still works) or NSSM but if the executable tries to use Windows UI elements it will probably not work (that was disabled after Windows XP).
