Sometimes, local administrator permissions may not be sufficient to manage certain system files, registry keys, processes, and services in Windows. In such cases, an administrator can take ownership of files/other objects or perform actions on behalf of the privileged SYSTEM
(LocalSystem
) account. In this post, we will cover how to open a command prompt or run any program as SYSTEM.
services.msc
) and note the services that have Local System in the LogOnAs column. These services are running under the SYSTEM account.How to Run CMD/Process as SYSTEM on Windows Using PSExec
The easiest way to run a command or program as NT Authority\System is to use the Sysinternals PSExec.exe console tool.
PSExec.exe
is a tool included in the PSTools administrative utility suite. It is available for download on the Microsoft website https://docs.microsoft.com/en-us/sysinternals/downloads/psexec. The PSExec utility is familiar to any administrator and is used to run commands and programs on remote computers. PSExec also has a useful feature that allows you to run processes on behalf of the system. Some antivirus programs may identify PSExec.exe as a potentially harmful program.The PSExec tool doesn’t require installation. Simply extract the PSTools.zip archive to a local drive (it’s likely that you’ll need to unblock the file you downloaded from the Internet before you can use it).
Open the command prompt (CMD) in “Run as administrator” mode and navigate to the directory where the psexec.exe file is located:
cd C:\PSTools\
To run a program or command as SYSTEM, run:
psexec -i -s cmd.exe
The command to run PSexec from the PowerShell shell will look like this:
.\psexec.exe -i -s <executable>
- -i – run the specified app in the interactive mode (a user can interact with the program on the desktop). If not specified, the process is launched in a console session.
- -s – run process as Local System account
- cmd.exe – the name of the EXE file, script, or command that will be run on behalf of the SYSTEM user.
After executing the command, a new command prompt window will appear, running under the NT Authority\System account. Make sure it is true by running this command:
whoami
Since in this example we launched the interactive console of the command-line interpreter cmd.exe under the SYSTEM account, all subsequent commands and programs started from this session will also run with SYSTEM privileges.
Now, you will be able to change, rename, or delete system files or registry keys that are owned by TrustedInstaller or SYSTEM. For example, you can terminate a system service or close a file locked by a system process.
psexec -s \\mun-b21pc12 cmd.exe
If the Couldn’t install PSEXESVC service
error appears, make sure that:
- The command prompt is run as administrator
- Another PSEXESVC service instance is not running
Configure a Task Scheduler to Run a Task as SYSTEM
The Task Scheduler can be used to periodically execute certain scripts or commands on behalf of the system. For example, I want to run a particular PowerShell script with system privileges when Windows boots.
- Open the Task Scheduler console by running the
taskschd.msc
command - Create a new task PSscriptAsSYSTEM
- In the User field, click the Change User or Group button and type
SYSTEM
(the account used to run task will change to NT AUTHORITY\SYSTEM) - Enable the Run with highest privileges option
- Go to the Triggers tab and select when you want to run your script (in this example, the task will run At startup)
- On the Actions tab, specify which program you want to run.
- In this example, we will run a PowerShell script (*.ps1). To do this, specify in the Program/Script field:
powershell.exe
. In the Arguments field, specify the path to the PS1 script file:-ExecutionPolicy Bypass -NonInteractive -File "C:\PS\MySampleScript.ps1"
Learn more about running PowerShell scripts from Task Scheduler. - Save the task settings
- To activate a task, right-click on it and select Enable.
Each time Windows boots, the Task Scheduler will run the specified PowerShell script with SYSTEM privileges.
If you only need to run a program or command on behalf of SYSTEM once, you can skip creating a trigger for a scheduled launch. Instead, run the scheduler task manually by selecting it in the console and clicking Run.
at 10:23 /interactive cmd.exe
where, 10:23
is the current time plus one minute (in the 24-hour format). When the specified time comes, a command prompt window will open in the console session, running with Local System permissions
Newer Windows versions (including Windows 11) don’t support running the interactive command prompt using the AT
command.
The AT command has been deprecated. Please use schtasks.exe instead. Warning: Due to security enhancements, this task will run at the time expected but not interactively. Use schtasks.exe utility if interactive task is required ('schtasks /?' for details). The request is not supported.
3 comments
you do know that psexec isnt from microsoft its from sysinternals right?! lmmfao
Microsoft acquired Sysinternals and its assets on July 18, 2006
Oh man, you failed so hard on that one.