Run A Process As NT AUTHORITY\SYSTEM
Who is NT AUTHORITY\SYSTEM ?
It is a built-in user account that is run on a Windows OS. It has powers even more than the Administrator account ! Using that account, one can gain complete control over everything. You can kill any stubborn process, make system wide changes etc. But, one cannot log in as NT AUTHORITY\SYSTEM. Windows doesn’t allow this and for a good reason coz malicious programs if run as NT AUTHORITY\SYSTEM, then it would be nothing less than a disaster!
Why should I become the NT AUTHORITY\SYSTEM ?
There are many rare instances when you will need to become the NT AUTHORITY\SYSTEM like in case you cannot end a virus process using Task Manager or from command line using taskkill even when the /f switch is used.
How can I become NT AUTHORITY\SYSTEM ?
Here is a little trick that allows you to gain system wide access as NT AUTHORITY\SYSTEM in XP. This won’t work in Vista.
- You must be logged in as an Administrator
- Make sure that “Task Scheduler” service is running. If not, start it using services.msc or using command line by typing
net start "Task Scheduler"- Now, you need to schedule a task using the at command as show below. Here’s the general command syntax.
at one_minute_more_than_current_time /interactive file_path
And here’s an example. Consider that the current time in your system tray clock is 21:21. Here’s the command that you need to enter to run the cmd.exe as NT AUTHORITY\SYSTEM.
at 21:22 /interactive C:\WINDOWS\system32\cmd.exe
You must specify the time one or two minutes more than the current time in system tray clock in 24 hour format.
Schedule a task
- When the time is elapsed, a new Command Prompt appears which is running as NT AUTHORITY\SYSTEM. All programs, GUI programs, commands etc launched from this Command Prompt also runs as NT AUTHORITY\SYSTEM. For example, the Task Manager (taskmgr.exe) started from this Command Prompt can end any process. Be careful while playing around with this trick
Hello, I hope my note finds you doing well. I am running Windows XP SP3.
I tried your tip here, to run a process as NT Authority\System, but I did not get the same result. I was able to successfully launch a new command prompt which had C:\WINDOWS\System32\scvhost.exe on top. However, when I typed cd at the prompt it merely returned c:\windows\system32 not NT AUTHORITY\SYSTEM.
I used the command prompt to open Task Manager, deleted explorer.exe, and then ran explorer.exe again. My desktop and icons change and so I was supposedly running as “System.” Alas, I am still unable to delete some pesky files and empty folders which Unlocker and WhoLockMe says are being locked by Domain: NT Authority, User: System.
When I click on Start, it says SYSTEM right on top. However, when open Task Manager and click on the Users tab, my name appears and not SYSTEM. I am not sure where I went wrong. Any ideas?
Kind regards, cheers,
Cat
cd command will return c:\windows\system32 itself …. there is nothing wring with this output
Try any of these :
- try deleting those files from “elevated” command prompt using del command with /f switch. Check del/? for usage.
- try directly deleting or doing the same as above from safe mode
- Boot from any linux live CD and delete the files.
Hi, thanks for your reply! Alas, nothing I did from the elevated command worked, but I finally took your suggestion regarding booting from the Windows Installation disk. I dug them out of a file cabinet (I was shocked I could find them!), booted to a c: prompt and was finally able to delete the files. It was the only thing that worked, thanks!