We have Process Hacker and other utilities that allows us to launch processes in interactive mode with system security principals as their user for elevated permissions. But, is there a way to log in as TrustedInstaller or other system security principal such as NT AUTHORITY/SYSTEM in a Windows 10 environment, with a full interactive GUI session? Mainly for the sake of doing dumb things in a VM.
Asked
Active
Viewed 3,457 times
3 Answers
1
Short answer is no, you cannot login interactively with that account as its managed by the OS and there is no traditional password associated with it.
A good reference which has in depth detail about the system account among other things is the 'Windows Internals' book by Mark Russinovich.
NetServOps
- 931
0
Not sure if this counts but if you're logged in as a regular user, download Power Run
, go to Explorer.exe in the windows folder, right click,open with Power Run, the system will login to the system profile and the background will go black but you're now running with system privileges. I would definitely try this in a vm first because some.prpgrams will act weird because this is not your standard account, it's running our of the systemprofile folder in the system32 directory. I am not how to switch the screen back to normal on this mode, maybe someone else can fill me in on that.
-2
trusted installer is the same powerful as SYSTEM (NOT builtin admin), u can set the AutoLogonSID reg_sz to S-1-5-18 or S-1-5-32 (there are many more in my experiments), and u will be prompted the password, which i believe is the lsasecret of DPAPI_SYSTEM . u have to build the profile thru SAM reg , profilelist, and usermanager as well as physically put a folder with ntuser.dat . clone a profile in profilelist . authentication reg is meaningless . my default is to make the default user on my windows iso's s-1-5-18, which is what is in use during audit mode or safemode, but as u notice, isnt as good as TI. ti's sid is s-1-5-80 and u cannot just put the sid in profilelist reg_sz SID it does not work. try it to your S-1-5-21 profile and change the SID hexadecimal binary to the top profile in the list, administrator, S-1-5-18, which is 01 01 00 00 00 00 00 05 12 00 00 00 in binary, but weirdly, is reference as 01 02 00 00 00 00 00 05 12 00 00 00
