Tutorial describing Local System Account (LSA) and detailing how to run applications within it.
The system account(SID: S-1-5-18) and the administrator account (Administrators group) have the same file privileges, but they have different functions. By the way the system account is one of many built-in accounts. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account. Permissions for the system account can be removed but it is deffinently not recommended.
If you didn’t know what the local system account was now you do, and you can thank microsoft for that little spiel. The local system account on NT 3.1 versions and below could also establish remote null sessions because of its credentials, but that was fixed in the 3.5 version of NT. If you would like to find out what services are running in the LSA goto Start, Run and type in “services.msc”, with out the quotes. In the main services window look under “Log On As”, to see what services start as LSA. Double clicking on a service will reveal its properties, from there the “Log On” tab will show you what account that service uses. There are times how ever when you need to change a LSA service to a user account, usually to access a remote resource because you have to present your user credentials. The “Allow to interact with desktop” checkbox is used if you want to see and be able to interact with that application. Unchecked it would run in the background hidden from the user. Also, any environment changes will need a restart for the LSA account to recognize them because of the way the LSA account gets its environmental settings from services.exe at boot-up time.
You should now be tired of hearing about this, so I will get on with the main point–using the LSA. One easy way to do this is through the AT command. The AT command is the DOS Task Schedular command, it is defaulted to run in the LSA. For more help on the AT command type “at /?” in a msdos window for a list of its options. Say you wanted to run the registy editor as LSA. You would type “AT 09:15 /interactive regedit.exe” To prove your in the system account look under the HKEY_LOCAL_MACHINE\SECURITY key and you should see sub-keys. This is where your LSA Secrets(All local account passwords including system accounts and other info) are stored. More info on LSA Secrets can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;199071
Now open regedit in your run box and see if you have anything in the Security key. Nope not anymore. Make sure when typing the command you use a military time format, include the .exe at the end of the filename and include the “/interactive” option so you can see the window. Many windows operating systems have problems when using the /interactive option. A knowedge base artical can be found here if you encounter this problem:
http://support.microsoft.com/kb/121562/EN-US/
Another great method is to use a tool called PsExec from Sysinternal, which can be found here:
http://www.sysinternals.com/Utilities/PsExec.html
This tool can be used for running remote apps in the LS account also, not to mention it has some other handy features. By typing “Psexec.exe -i -s cmd.exe” you will have ran a command prompt on your system in the LSA. You can add a \\remotemachine option before the -i and it should work remotely also, provided you have enough credentials.
If you know of any other methods, please email me so I can append them to this tutorial.
0 comments:
Post a Comment