Running an application in the Local System Account

[Vortex]

The Local System Account ( LSA ) is the most powerful account in Windows ( more powerful than the Administrator account ) A lot services are running under this account. To access this account, an easy method is to create a scheduled task which runs in the system account by default :

Code Select Expand

at 15:00 /interactive cmd.exe

The task scheduler service will create the job to run in the system account. The time to fire the task could be anything else, it has not any importance here. After reading the name of the job in the scheduled tasks window, to run the task immediately :

Code Select Expand

schtasks /Run /TN At1

At1 is the name of the scheduled job. This command will launch cmd.exe running under the system account.

Deleting the job :

Code Select Expand

schtasks /Delete /TN At1

I wrote a little example to run cmd.exe under LSA. The application creates a scheduled job, runs it and deletes it from the job queue.

Notice that you should run this application under an account belonging to the Administrators group. The application runs fine on Windows XP Sp3, it should run also on Windows 2000 and Windows Server 2003. I would be grateful for the feedback of Vista users specifying also the service pack level.

Another method to run an application under LSA is to use Mark Russinovich's psexec tool :

Code Select Expand

psexec -i -s cmd.exe

http://technet.microsoft.com/tr-tr/sysinternals/bb897553%28en-us%29.aspx

Some COM interfaces are required to handle scheduled jobs. Here is the source code :

Code Select Expand


.386
.model flat,stdcall
option casemap:none

include RunasLSA.inc

.data

CLSID_CTaskScheduler    GUID sCLSID_CTaskScheduler
IID_ITaskScheduler      GUID sIID_ITaskScheduler
IID_ITask               GUID sIID_ITask

; fill the structure AT_INFO to create a scheduled job

_at_info    dd 0        ; JobTime
            dd 0        ; DaysOfMonth
            db 0        ; DaysOfWeek
            db 0        ; Flags
            dw 0        ; alignment bytes
            dd OFFSET command1

WSTR        command1,"Cmd.exe"

; jobs created with the scheduler API have the name AtXX
; XX = ID of the job

WSTR        JobToRun,"At"
            db 0,0,0,0

WSTR        format1,"%u"

.data?

pITS        dd ?
pITask      dd ?
JobID       dd ?
buffer      db 10 dup(?)

.code

start:

; create the scheduled job

    invoke  NetScheduleJobAdd,0,ADDR _at_info,ADDR JobID

; get the name of the job

    invoke  wsprintfW,ADDR buffer,ADDR format1,JobID
    invoke  lstrcatW,ADDR JobToRun,ADDR buffer
   
; initialize COM

    invoke  CoInitialize,NULL

; create an uninitialized object of the class TaskScheduler

    invoke  CoCreateInstance,ADDR CLSID_CTaskScheduler,NULL,\
            CLSCTX_INPROC_SERVER,ADDR IID_ITaskScheduler,ADDR pITS

; return an interface to ITask

    push    OFFSET pITask
    push    OFFSET IID_ITask
    push    OFFSET JobToRun
    mov     eax,pITS
    push    eax
    mov     eax,DWORD PTR [eax]
    call    ITaskScheduler.Activate[eax]

; release the pointer

    mov     eax,pITS
    push    eax
    mov     eax,DWORD PTR [eax]
    call    ITaskScheduler.IUnknown.Release[eax]

; run the scheduled task

    mov     eax,pITask
    push    eax
    mov     eax,DWORD PTR [eax]
    call    IScheduledWorkItem.Run[eax]

    mov     eax,pITask
    push    eax
    mov     eax,DWORD PTR [eax]
    call    IScheduledWorkItem.IUnknown.Release[eax]

; wait before the scheduler service runs the job and after delete the job

    invoke  Sleep,1000
    invoke  NetScheduleJobDel,0,JobID,JobID

; all finished with COM

    invoke  CoUninitialize
    invoke  ExitProcess,0

END start


[BlackVortex]

Well, it runs here, shows nothing though, so I don't know if it suceeded. Windows 7.

[Vortex]

Hi BlackVortex,

You could see the command prompt if you are running Xp or 2000. I doubt that it would work on Windows 7 as they elevated the security level. Could you try Russinovich's psexec tool on your computer?

[BlackVortex]

Oh, I see. Well, your program works on my XP32 virtual machine, but doesn't do anything on my (real) Win7 64bit.


"psexec -i -s cmd.exe" works fine even on Win7 64bit. I checked the task manager and the user is SYSTEM.

EDIT: You should make your proggy more verbose, so we know where it fails.

[Vortex]

Thanks for your feedback. MS probably limited the capabilities of the old Task Scheduler API 1.0 in Windows 7
psexec creates a temporary service named PSEXESVC to launch the child application operating under LSA. This is why psexec is successful on Windows 7