╔═══════════════════════════════════════
║ Instructions - SYSTEM Access
┌───────────────────────────────────────
│ Plainspeak
The user account SYSTEM (also referred to as LocalSystem, NT AUTHORITY\SYSTEM) is used by Microsoft Windows for portions of the operating system that run in User Mode, where the security model requires a user account is associated with each process and its threads. It is also the account used to run about half of the services. It is a user account just like every other one, except extremely privileged. It can access almost any securable object.
There are two other SYSTEM-derived user accounts together used to run the other half of the services, LOCALSERVICE and NETWORKSERVICE. You can also use these accounts interactively though there are fewer reasons to unless debugging a service running as one of those.
The SID TrustedInstaller is a whole other beast, as well.
In-depth troubleshooting is often severely hampered when using a typical 'administrator' user account. This document allows you to bypass security restrictions that are proper for everyday operations but overbearing when troubleshooting.
This document assumes that the customer is not blocking use of psexec.exe from Sysinternals. There are other methods of obtaining SYSTEM access you can query the Internet for. This is the easiest.
I rarely put disclaimers in my work because I rightfully assume that you are not whimsically changing this-or-that for bric-a-brac on a customer's node when troubleshooting. But: If you use the SYSTEM account recklessly, you can easily convert your operating system into a non-operating system.
┌───────────────────────────────────────
│ References
• PsExec
• Windows Sysinternals
• Operating System Version
• User Account Control
┌───────────────────────────────────────
│ Acquire
• Download: Sysinternals Suite
· Expand the archive to a temporary folder.
┌───────────────────────────────────────
│ Configure EULA
• In an administrative, UAC-elevated cmd.exe window:
· Navigate to the temporary folder.
· Execute: psexec.exe -accepteula
· If a EULA dialog is displayed, click: OK
┌───────────────────────────────────────
│ Execute cmd.exe as User SYSTEM
• Execute the instructions contained in the heading 'Configure EULA'.
• In an administrative, UAC-elevated cmd.exe window:
· Navigate to the temporary folder.
· Execute: psexec.exe -dis cmd.exe
· The window 'Administrator: C:\Windows\System32\cmd.exe' will appear.
• The window 'Administrator: C:\Windows\System32\cmd.exe' is running as user SYSTEM.
· To verify the window's user account, execute: whoami
· Similar output should result:
│C:\WINDOWS\system32>whoami
│nt authority\system
┌───────────────────────────────────────
│ Execute Applications other than File Explorer as User SYSTEM
• Execute the instructions contained in the heading 'Execute cmd.exe as User SYSTEM'.
• In the SYSTEM cmd.exe window:
· Navigate to the folder hosting the intended application.
· Execute the application.
· The application window will appear.
____________________
Application Behavior
· The signed-in desktop user's taskbar will display the following icons:
· An icon for each application running as the signed-in desktop user.
· A distinctly separate icon for each application running as user SYSTEM.
· Each user account's taskbar icon for an application will encompass that user account's windows for that application.
· e.g., if Notepad is running as the signed-in desktop user Alice and also as user SYSTEM then two separate Notepad taskbar icons will exist.
┌───────────────────────────────────────
│ Configure File Explorer for User SYSTEM
• Close any running instances of 'Registry Editor'.
• Execute the instructions contained in the heading 'Execute cmd.exe as User SYSTEM'.
• In the window SYSTEM cmd.exe, execute: regedit.exe
· The window 'Registry Editor' will appear.
· Click any object in the left pane of 'Registry Editor'.
· Press: CTRL+Home
· Click: Computer
· Click menu item: Edit | Find
· The window 'Find' will appear.
· Locate dialog box: Find what
· Enter: {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
· Click: Find next
· The window 'Find' will close.
· 'Registry Editor' will highlight key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
· Right-click key: {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
· Select: Permissions...
· The window 'Permissions for {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' will appear.
· Click: Advanced
· The window 'Advanced Security Settings for {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' will appear.
· Locate section: Owner
· Click: Change
· The window 'Select User, Computer, Service Account, or Group' will appear.
· Locate section: From this location
· Click: Locations
· The window 'Locations' will appear.
· Locate section: Location
· Click: <COMPUTERNAME>
· Where <COMPUTERNAME> is the computername.
· Click: OK
· The window 'Locations' will close.
· The window 'Select User, Computer, Service Account, or Group' will refocus.
· Locate section: Enter the object name to select (examples)
· Enter: SYSTEM
· Click: Check names
· The window 'Multiple Names Found' might appear:
· Click: SYSTEM
· Click: OK
· The window 'Multiple Names Found' will close.
· Click: OK
· The dialog box 'Select User, Computer, Service Account, or Group' will close.
· The window 'Advanced Security Settings for {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' will refocus.
· Click: OK
· The window 'Advanced Security Settings for {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' will close.
· The window 'Permissions for {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' will refocus.
· Locate section: Group or user names
· Select: SYSTEM
· Locate section: Permissions for SYSTEM
· Click: Full Control
· Click: OK
· The window 'Permissions for {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' will close.
· The window 'Registry Editor' will refocus.
· In the right pane of 'Registry Editor':
· Right-click: RunAs
· Select: Rename
· Enter: nerfRunAs
· Press: Enter
· Close the window 'Registry Editor'.
• Close the window SYSTEM cmd.exe
┌───────────────────────────────────────
│ Configure File Explorer for User SYSTEM is Reverted During Windows Upgrade
• When Windows is upgraded the File Explorer configuration in this document is reverted, requiring reconfiguration after upgrade is complete.
· Windows 6.1 upgrade to Windows 6.2 and uplevel
· Windows 6.2 upgrade to Windows 6.3 and uplevel
· Windows 6.3 Platform Upgrade
· Windows 6.3 upgrade to Windows 10.0
· Windows 10.0 Semi-Annual Channel Upgrade
┌───────────────────────────────────────
│ Execute File Explorer as User SYSTEM
• Execute the instructions contained in the heading 'Configure File Explorer for User SYSTEM'.
• Execute the instructions contained in the heading 'Execute cmd.exe as User SYSTEM'.
____________________
Windows 6.1
__________
Execute Windows 6.1 File Explorer
· In the SYSTEM cmd.exe window, execute: explorer.exe
· The window 'Interactive Services Detection' will appear.
· Click: View the message
· The window 'Interactive Services Detection' will appear.
· The window 'File Explorer' will appear.
· The window 'Location is not available' will appear.
· In the window 'Interactive Services Detection':
· Click nothing at this time.
· In the window 'Location is not available':
· Observe the warning information:
│C:\WINDOWS\system32\config\systemprofile\Desktop refers to a location that is unavailable. It
│could be on a hard drive on this computer, or on a network. Check to make sure that the disk
│is properly inserted, or that you are connected to the Internet or your network, and then try
│again. If it still cannot be located, the information might have been moved to a different
│location.
· This warning information is expected because user SYSTEM has no 'Desktop' folder.
· This warning information can be permanently prevented by creating the folder: C:\Windows\System32\config\systemprofile\Desktop
· PSPRO recommends against creating this folder as the warning information is a visual cue that the File Explorer window is starting as user SYSTEM.
· Click: OK
· The window 'Location is not available' will close.
· In the window 'File Explorer':
· Perform the intended file operations.
· When file operations are complete:
· Close the window 'File Explorer' and any other opened windows.
· In the window 'Interactive Services Detection':
· Click: Return now
· The window 'Interactive Services Detection' will close.
· The signed-in desktop user's windows will be displayed.
· If all windows of user SYSTEM were closed, the window 'Interactive Services Detection' will close.
· Close the SYSTEM cmd.exe window
__________
Windows 6.1 File Explorer Behavior
· Session 0 isolation:
· In Windows 6.0+:
· User mode drivers, services, and certain other applications running as user SYSTEM execute in Session 0.
· Applications running as signed-in desktop users execute in Session 1 (or greater).
· Graphical user interfaces for Session 0 user SYSTEM applications are deprecated and not normally displayed in a signed-in desktop user session.
· This document's procedure on Windows 6.1 executes File Explorer as user SYSTEM in Session 0 with the intent to interact with the signed-in desktop user session.
· Clicking 'View the message' in the 'Interactive Services Detection' window switches the display to the Session 0 user SYSTEM desktop enabling interaction.
· Clicking 'Return now' in the 'Interactive Services Detection' window returns the display to the Session 1 (or greater) signed-in user's desktop.
· The 'Interactive Services Detection' window is effectively a traversable gateway between the Session 1 (or greater) signed-in user's desktop and the Session 0 user SYSTEM desktop.
· Application Compatibility – Session 0 Isolation
· Session 0 Isolation
· File Explorer title bar appearance:
· User SYSTEM's File Explorer title bar will change its name to match the currently-selected folder name.
· File operations:
· Copy/paste/move/delete progress windows may not be rendered for user SYSTEM's File Explorer windows.
· Copy/paste/move/delete folder content changes may not be automatically refreshed in user SYSTEM's File Explorer windows, requiring manual refresh.
· Clipboard file sharing will not function between user SYSTEM's File Explorer windows and the signed-in desktop user's File Explorer windows.
· Desktop timeout:
· If user SYSTEM's desktop is the foreground desktop and 1 minute of inactivity elapses, the operating system will lock the computer.
· When signing in after the computer is locked, the signed-in user's desktop will be displayed, not user SYSTEM'S desktop.
· The window 'Interactive Services Detection' will remain displayed.
· In the window 'Interactive Services Detection':
· Click: View the message
· User SYSTEM'S desktop will be displayed.
· User SYSTEM's desktop will remain as it was prior to the operating system locking the computer.
· Tools such as Zhorn Software's 'Caffeine' can prevent this timeout.
· Caffeine
· Establishing a complete user SYSTEM Desktop Experience:
· In the window 'File Explorer' running as user SYSTEM:
· Navigate to: C:\Windows
· Execute: explorer.exe
· The window 'Personalized Settings' will appear, perform operations, and close.
· A desktop background, a taskbar, a Start menu, and all user shell folders will be populated for user SYSTEM.
· PSPRO recommends against this as the previously discussed window 'Location is not available' will no longer be displayed.
· If the user SYSTEM Desktop Experience is created, as a visual cue PSPRO recommends assigning a distinctive desktop background color to user SYSTEM's desktop.
· Change the desktop background to a solid color.
· A picture can be chosen by first selecting a picture, and then changing the theme to a High-Contrast theme.
· PSPRO recommends using a solid color rather than a picture and High-Contrast theme because:
· A picture cannot be displayed with the Windows Classic theme available to the user SYSTEM Desktop Experience, but only with a High-Contrast theme.
· The sign-in screen runs as user SYSTEM and will reflect the High-Contrast theme until the user SYSTEM Desktop Experience is returned to the Windows Classic theme.
· The Windows Classic theme default sign-in screen background picture will hide a solid color choice made in the user SYSTEM Desktop Experience.
· If the taskbar is not visible, clicking on any user SYSTEM Desktop Experience window or the desktop background will expose the taskbar.
· Present on the taskbar will be an icon encompassing 'Interactive Services Detection' and 'shell0 Window'.
· The 'Interactive Services Detection' icon exposes the 'Interactive Services Detection' window and hides the user SYSTEM Desktop Experience.
· The 'shell0 Window' icon exposes the user SYSTEM Desktop Experience and hides the 'Interactive Services Detection' window.
· These windows are vulnerable to deliberate closure but should not be closed.
· If the 'Interactive Services Detection' window is closed, the following actions can be taken:
· User SYSTEM can start an application that has not yet been started during the session and the window 'Interactive Services Detection' will be restored.
· User SYSTEM can start the 'Interactive Services Detection' Windows service and the window 'Interactive Services Detection' will be restored.
· User SYSTEM can click 'Windows Button | Shut Down | Switch user', which will display the lock screen.
· User SYSTEM can click 'Windows Button | Shut Down | Restart', which will end all sessions and reboot.
· Some applications in the user SYSTEM Desktop Experience may function anomalously or not at all:
· Internet Explorer
· etc.
· Most applications other than File Explorer can be run interactively in the signed-in desktop user's session as user SYSTEM and do not require a user SYSTEM Desktop Experience:
· Internet Explorer
· Registry Editor
· etc.
· These applications may be used by executing the instructions in the heading 'Execute Applications other than File Explorer as User SYSTEM'.
· Upon reboot, all indicated user SYSTEM Desktop Experience customizations except the establishment of the user SYSTEM shell folders will be reverted.
· These customizations can be re-established by executing the instructions in this heading 'Establishing a complete user SYSTEM Desktop Experience'.
· Despite PSPRO's general recommendations against establishing a user SYSTEM Desktop Experience and user SYSTEM shell folders, PSPRO recognizes that a user SYSTEM Desktop Experience coupled with an operating system inactivity lock prevention tool is often the correct environment for extended-length troubleshooting in Windows 6.1.
____________________
Windows 6.2 and Uplevel
__________
Execute Windows 6.2 and Uplevel File Explorer
· In the SYSTEM cmd.exe window, execute: explorer.exe
· The window 'File Explorer' will appear.
· The window 'Location is not available' will appear.
· Observe the warning information:
│C:\WINDOWS\system32\config\systemprofile\Desktop is unavailable. If the location is on this
│PC, make sure the device or drive is connected or the disc is inserted, and then try again. If the
│location is on a network, make sure you're connected to the network or Internet, and then try
│again. If the location still can't be found, it might have been moved or deleted.
· This warning information is expected because user SYSTEM has no 'Desktop' folder.
· This warning can be permanently prevented by creating the folder: C:\Windows\System32\Config\Systemprofile\Desktop
· PSPRO recommends against creating this folder as the warning information is a visual cue that the File Explorer window is starting as user SYSTEM.
· Click: OK
· The window 'Location is not available' will close.
__________
Windows 6.2 and Uplevel File Explorer Behavior
· The signed-in desktop user's taskbar will display the following icons:
· A 'normal' File Explorer taskbar icon encompassing all File Explorer windows running as the signed-in desktop user.
· A distinctly separate File Explorer taskbar icon for user SYSTEM.
· Each user account's taskbar icon will encompass that user account's File Explorer windows.
· e.g., if File Explorer is running as the signed-in desktop user Alice and also as user SYSTEM then two separate File Explorer taskbar icons will exist.
· File Explorer taskbar icon appearance:
· The signed-in desktop user's File Explorer taskbar icon will never change its appearance.
· User SYSTEM's File Explorer taskbar icon will change its appearance if the currently-selected folder has a customized icon defined in the folder's desktop.ini file.
· File operations:
· Copy/paste/move/delete progress windows may not be rendered for user SYSTEM's File Explorer windows.
· Copy/paste/move/delete folder content changes may not be automatically refreshed in user SYSTEM's File Explorer windows, requiring manual refresh.
· Clipboard file sharing may not function between user SYSTEM's File Explorer windows and the signed-in desktop user's File Explorer windows.
┌───────────────────────────────────────
│ Shortcuts
• Windows shortcuts can be created to start any application as user SYSTEM:
· For the desired application, create a Windows shortcut:
· Target: "<X:\Path>\psexec.exe" -dis "<Y:\Path\applicationname.exe>"
· Start in: "<X:\Path>"
· Where:
· '<X:\Path>' is the fully-qualified pathname to psexec.exe.
· '<Y:\Path\applicationname.exe>' is the fully-qualified pathname to the application.
· Double-quotes are necessary in the 'Target' and 'Start in' fields of the Windows shortcut only if the fully-qualified pathnames or application names contain spaces.
• PSPRO recommends creating Windows shortcuts to cmd.exe and explorer.exe.
┌───────────────────────────────────────
│ Credits
Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.
I am Christopher Etter, a Professional Services consultant.
Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!