Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 10 / How to Run CMD/Program under SYSTEM (LocalSystem) in Windows

March 11, 2024

How to Run CMD/Program under SYSTEM (LocalSystem) in Windows

To perform some actions in Windows, it’s not enough to have administrator privileges. For example, you cannot replace or delete system files and some registry keys, stop system services or perform some other potentially unsafe actions that could affect the stability of your operating system. In these cases, a system administrator can take ownership of files or other objects, or perform actions on behalf of the system account. In this article you we’ll look on how to run an app or the command prompt as the privileged SYSTEM (LocalSystem) account on Windows 10.

Disclaimer. Making changes to a Windows image on behalf of the SYSTEM account is a non-standard operation. Please note that incorrect actions taken with the NT AUTHORITY\SYSTEM privileges may break your Windows. In practice, running processes as System account is rarely used. In most cases you can solve a problem using some standard ways: runas, run an app without administrator privileges and suppressing the UAC prompt, take ownership on files/registry keys, disable UAC for all or only certain apps, grant service management privileges for non-admin users.

Contents:
  • How to Run CMD under Local System Account in Windows (Versions Prior to Vista)?
  • How to Run CMD/Process as SYSTEM on Windows 10 Using PSExec?

The built-in SYSTEM account is used by the SCM (Service Control Manager) to run and manage system services. Using the System account (it may be also called NT AUTHORITY\SYSTEM, Local System or Computer\LocalSystem), most system services and processes are run (including NT OS Kernel). Open the service management mmc snap-in (services.msc) and note the services that have Local System in the LogOnAs column. These services are running under the SYSTEM account.

windows services running as localsystem

How to Run CMD under Local System Account in Windows (Versions Prior to Vista)?

In Windows XP and Windows Server 2003 (that are no longer supported), there was an interesting trick that allowed you to run a program or the interactive command prompt (cmd.exe) with the system privileges using the Task Scheduler. It was enough to open the command prompt under the admin account and run the following command:

at 10:23 /interactive cmd.exe

where, 10:23 is the current time + one minute (in the 24-hour format)

When the specified time comes, a command prompt will appear running under the local system account. If you have run this command in a terminal (RDP) session on Windows Server 2003/XP, note that the command prompt with the System privileges is displayed in the console session only (you can connect to the computer console via mstsc /console or mstsc /admin).

windows xp - run interactive cmd on behalf system

Windows 10 doesn’t support running the interactive command prompt using the at command. It is recommended to use schtasks.exe instead.

Warning: Due to security enhancements, this task will run at the time expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?' for details).
The request is not supported.

can't run at on windows 10 - Use schtasks.exe utility if interactive task is required

How to Run CMD/Process as SYSTEM on Windows 10 Using PSExec?

In Windows 7 or higher, the interactive command prompt cannot be run under the System account using Task Scheduler. To run commands as NT Authority\ System, you can use the PSExec.exe utility by Sysinternals.

You can download the PSExec.exe tool from Microsoft website: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec. Any Windows administrator is familiar with PSExec. In most cases, it is used to manage Windows remotely, and it also has a useful feature for running processes on behalf System account. Some antiviruses may identify PSExec.exe as a potentially harmful program (by the way, it was psexec that was used to distribute the notorious notpetya virus).

PSExec doesn’t need to be installed. Open the elevated command prompt (“Run as administrator”), go to the folder where PSexec.exe is located and run the following command:

psexec -i -s cmd.exe

-i – allows to start the process/app in the interactive mode (a user can interact with the app on the desktop; if you don’t use this parameter, the process starts in a console session),

–s – means that the process (in this case, the command prompt) must be run as a System account.

On the first PsExec run, you will be prompted to accept a license agreement.

psexec -s -s cmd - run as system

After running the command, a new command prompt window will appear under the NT Authority\System account. Make sure it is true, by running this command:

whoami

run cmd under the NT AUTHORITY\SYSTEM

Thus, you can run any program, command, or script as a System account. It is enough to replace cmd.exe in the PsExec parameter with the name of the app executable you want to run.

In the command prompt window that appears, you can run any command as SYSTEM. Now you can change, rename or delete system files/registry keys that are owned by TrustedInstaller or SYSTEM. All programs or processes you start in this window will run with elevated LocalSystem privileges. For example, you can stop a system service or close a file opened by the system process.

Using PSExec, you can open the interactive command prompt with the NT AUTORITY\SYSTEM privileges on a remote computer. To do it, the following command is used:

psexec -s \\mun-b21pc12 cmd.exe

If the “Couldn’t install PSEXESVC service” error appears, make sure that:

  • The command prompt is run as administrator;
  • Another PSEXESVC service instance is not running PSEXESVC service

There are also several third-party tools to run apps as System account (AdvancedRun, RunAsSystem, PowerRun), but I cannot see any point in using them. First of all, they are third-party and you cannot be sure there is no malicious code in them. Secondly, the official PsExec utility by Microsoft does a great job.

3 comments
10
Facebook Twitter Google + Pinterest
Windows 10Windows Server 2019
previous post
How to Disable or Change User Account Control (UAC) Settings in Windows
next post
Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

Related Reading

Fix: The Computer Restarted Unexpectedly or Encountered an...

May 16, 2024

PowerShell: Get Folder Size on Windows

April 2, 2024

Fixing “Winload.efi is Missing or Contains Errors” in...

March 16, 2024

How to Download Offline Installer (APPX/MSIX) for Microsoft...

March 12, 2024

Windows Doesn’t Automatically Assign Drive Letters

March 15, 2024

How to Clean Up System Volume Information Folder...

March 17, 2024

Protecting Remote Desktop (RDP) Host from Brute Force...

February 5, 2024

Fix: Photos App in Windows 10 Opens Extremely...

April 19, 2023

3 comments

gommet granger May 11, 2022 - 9:23 am

you do know that psexec isnt from microsoft its from sysinternals right?! lmmfao

Reply
admin May 12, 2022 - 7:48 am

Microsoft acquired Sysinternals and its assets on July 18, 2006

Reply
Pete Mitchell June 17, 2022 - 5:23 pm

Oh man, you failed so hard on that one.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Download Offline Installer (APPX/MSIX) for Microsoft Store App
  • Fix: Windows Cannot Connect to a Shared Printer
  • How to Disable UAC Prompt for Specific Applications in Windows
  • Fix: The Computer Restarted Unexpectedly or Encountered an Unexpected Error on Windows
  • How to Clean Up System Volume Information Folder on Windows
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10
  • How to Enable Windows Auto Login without a Password
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top