How to launch any win32 file as "System account" on Windows Vista, Windows 7 or Windows Server 2008 / Server 2008 R2

book

Article ID: 177919

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to launch a file as the System account to verify access rights, test network access, test LiveUpdate, look at proxy settings or to try to install using a non-user based account but have found the new security changes in the Microsoft Windows kernel 6 or greater prevents the AT task scheduler from launching an "interactive" application with system level access.

Symptoms
Changes in the Windows account security prevents direct access from the command line to the task schedulers ability to create a local session-0 interactive system account run applications. This issue will apply to any Windows operating system running kernel 6 or greater. (Vista, Windows 7, Server 2008, Server 2008 R2 for all 32-bit and 64-bit variants as well as Itanium.)


When you try to use the AT scheduler with the /interactive switch you will get the following window:




If you use the Windows built-in GUI task scheduler or the Schtasks tool, you will be able to assign the System account to launch the application but you will not be able to see or interact with the application now due to security changes in Windows. The application will show in the Task Manager but that is the total level of interaction ALL local users will get.

Cause

This is new behavior that was introduced in Vista's security model and has been implemented into Windows 7 and all Windows Server 2008 families.

Resolution

It is possible to launch a local Session 0, user-accessible win32 application using System account privileges using the third party tool called PSExec from Microsoft.

The command line is:
psexec -i -s [path to executable and/or script]

(The -s switch runs as System; the -i switch runs as Interactive.)

Please note, include the path in quotes if the executable resides in any folder that has spaces or is more then 8 characters long.
Example : psexec -i -s "C:\Program Files\Internet Explorer\iexplore.exe"

This will launch two windows:
  1. A DOS window
  2. The actual executable/win32/script target itself. Do not close the DOS window as it will close the application that was launched.

While the target application is open, the operator will have access to the system using System account privileges. Note the elevated privileges do not extend beyond the target application launched by the Psexec tool.


References
PSExec is available from Microsoft via the following link. This link is provided for your convenience.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx


Technical Information
"Service Changes for Windows Vista," which discusses the changes in the security model:

http://msdn.microsoft.com/en-us/library/bb203962(VS.85).aspx


Attachments