The Local System Account ( LSA ) is the most powerful account in Windows ( more powerful than the Administrator account ) A lot services are running under this account. To access this account, an easy method is to create a scheduled task which runs in the system account by default :
at 15:00 /interactive cmd.exe
The task scheduler service will create the job to run in the system account. The time to fire the task could be anything else, it has not any importance here. After reading the name of the job in the scheduled tasks window, to run the task immediately :
schtasks /Run /TN At1
At1 is the name of the scheduled job. This command will launch cmd.exe running under the system account.
Deleting the job :
schtasks /Delete /TN At1
I wrote a little example to run cmd.exe under LSA. The application creates a scheduled job, runs it and deletes it from the job queue.
Notice that you should run this application under an account belonging to the Administrators group. The application runs fine on Windows XP Sp3, it should run also on Windows 2000 and Windows Server 2003. I would be grateful for the feedback of Vista users specifying also the service pack level.
Another method to run an application under LSA is to use Mark Russinovich's psexec tool :
psexec -i -s cmd.exe
http://technet.microsoft.com/tr-tr/sysinternals/bb897553%28en-us%29.aspx
Some COM interfaces are required to handle scheduled jobs. Here is the source code :
.386
.model flat,stdcall
option casemap:none
include RunasLSA.inc
.data
CLSID_CTaskScheduler GUID sCLSID_CTaskScheduler
IID_ITaskScheduler GUID sIID_ITaskScheduler
IID_ITask GUID sIID_ITask
; fill the structure AT_INFO to create a scheduled job
_at_info dd 0 ; JobTime
dd 0 ; DaysOfMonth
db 0 ; DaysOfWeek
db 0 ; Flags
dw 0 ; alignment bytes
dd OFFSET command1
WSTR command1,"Cmd.exe"
; jobs created with the scheduler API have the name AtXX
; XX = ID of the job
WSTR JobToRun,"At"
db 0,0,0,0
WSTR format1,"%u"
.data?
pITS dd ?
pITask dd ?
JobID dd ?
buffer db 10 dup(?)
.code
start:
; create the scheduled job
invoke NetScheduleJobAdd,0,ADDR _at_info,ADDR JobID
; get the name of the job
invoke wsprintfW,ADDR buffer,ADDR format1,JobID
invoke lstrcatW,ADDR JobToRun,ADDR buffer
; initialize COM
invoke CoInitialize,NULL
; create an uninitialized object of the class TaskScheduler
invoke CoCreateInstance,ADDR CLSID_CTaskScheduler,NULL,\
CLSCTX_INPROC_SERVER,ADDR IID_ITaskScheduler,ADDR pITS
; return an interface to ITask
push OFFSET pITask
push OFFSET IID_ITask
push OFFSET JobToRun
mov eax,pITS
push eax
mov eax,DWORD PTR [eax]
call ITaskScheduler.Activate[eax]
; release the pointer
mov eax,pITS
push eax
mov eax,DWORD PTR [eax]
call ITaskScheduler.IUnknown.Release[eax]
; run the scheduled task
mov eax,pITask
push eax
mov eax,DWORD PTR [eax]
call IScheduledWorkItem.Run[eax]
mov eax,pITask
push eax
mov eax,DWORD PTR [eax]
call IScheduledWorkItem.IUnknown.Release[eax]
; wait before the scheduler service runs the job and after delete the job
invoke Sleep,1000
invoke NetScheduleJobDel,0,JobID,JobID
; all finished with COM
invoke CoUninitialize
invoke ExitProcess,0
END start
Well, it runs here, shows nothing though, so I don't know if it suceeded. Windows 7.
Hi BlackVortex,
You could see the command prompt if you are running Xp or 2000. I doubt that it would work on Windows 7 as they elevated the security level. Could you try Russinovich's psexec tool on your computer?
Oh, I see. Well, your program works on my XP32 virtual machine, but doesn't do anything on my (real) Win7 64bit.
"psexec -i -s cmd.exe" works fine even on Win7 64bit. I checked the task manager and the user is SYSTEM.
EDIT: You should make your proggy more verbose, so we know where it fails.
Thanks for your feedback. MS probably limited the capabilities of the old Task Scheduler API 1.0 in Windows 7
psexec creates a temporary service named PSEXESVC to launch the child application operating under LSA. This is why psexec is successful on Windows 7