Privileged to use system accounts

Source: Internet
Author: User

As you know, SYSTEM is the supreme super administrator account. By default, you cannot log on to the Windows desktop environment as a SYSTEM account in the logon dialog box. In fact, the SYSTEM account has already been "running" in the SYSTEM. Think too. Even the Winlogon, Lsass, and other processes that are responsible for user verification run as SYSTEM. who is qualified to test the SYSTEM? Since the SYSTEM account has already appeared in the SYSTEM, you only need to start Windows Shell program Explorer as the SYSTEM account, which is equivalent to logging on to Windows as the SYSTEM account.

1. obtain privileges

1. Run "Start> Run" And Enter cmd and press enter to open the Command Prompt window.

2. Enter the following command at the command prompt and press Enter:

Taskkill/f/im assumer.exe

(End explorer for the current account) (Figure 1)

Figure 1

3. Enter the following command at the command prompt and press Enter:

At time/interactive % systemroot % \ assumer.exe

(Time is a later time of the current system time, such as the interval of one second .) (Figure 2)

Figure 2

The system will reload the user configuration in a few seconds, and start Windows's shellprocess assumer.exe with the systemid

2. Check the body

1. the Start Menu displays the system account. (Figure 3)

Figure 3

2. Open the Registry Editor, as long as you prove that HKCU is a link to HKU \ S-1-5-18 (S-1-5-18 is the sid of the system account ). The proof method is very simple: in HKCU casually create a Test subitem, And then refresh, and then see whether the HKU \ S-1-5-18 synchronization of the Test subitem, if yes, it indicates that the SYSTEM is currently loaded with the user configuration unit of the system account! (Figure 4)

Figure 4

3. Enter the following command in the command prompt:

Whoami

Display: nt authority \ SYSTEM (Figure 5)

Figure 5

Tip: Support Tools must be installed.

:Http://download.microsoft.com/download/d/3/8/d38066aa-4e37-4ae8-bce3-a4ce662b2024/WindowsXP-KB838079-SupportTools-ENU.exe

3. Popularity

1. Registry access:

Note: you cannot access certain registry keys without SYSTEM permissions, such as "HKEY_LOCAL_MACHINE \ SAM" and "HKEY_LOCAL_MACHINE \ SECURITY. These items record the core data of the system, but some viruses or Trojans are frequent here. For example, to create a hidden account with administrator permissions under the SAM project, the administrator can enter "net user" or "local user and group" (lusrmgr. msc) is invisible, causing a great risk to the system. With the "SYSTEM" permission, access to the registry is free of obstacles, and all black hands are exposed!

Operation: Open Registry Manager and try to access HKEY_LOCAL_MACHINE \ SAM and HKEY_LOCAL_MACHINE \ SECURITY. Now there should be unrestricted access. (Figure 6)

Figure 6

2. Access the system to restore the file:

Note: System restoration is a self-protection measure for windows systems. It creates the "System Colume Information" folder in each root directory and stores some System Information for System recovery. If you do not want to use "SYSTEM Restore" or want to delete some files under it, this folder has hidden and SYSTEM attributes and cannot be deleted without SYSTEM permissions. If you log on with the SYSTEM permission, you can delete it at will. You can even create a file under it to protect your privacy.
Operation: click "Tools> Folder Options" in the resource manager and switch to the "View" tab in the "Folder Options" window that appears, in the advanced settings list, undo the "Hide protected operating system (recommended)" check box and select "show all files and folders" from "hidden files and folders. Then you can access the System-restored working directory C: \ System Volume Information without restriction. (Figure 7)

Figure 7

3. Change the system file:

Note: Windows provides a protection mechanism for system files. Generally, you cannot replace system files because system files are backed up in c: \ WINDOWS \ system32 \ dllcache (assuming that your system is mounted to drive C ). After you replace the system file, the system automatically restores the corresponding system file from this directory. When the system file does not exist in the directory, a prompt is displayed (figure 8) asking you to insert the installation disk. In practical applications, If you sometimes need to modify some system files of your own system, or use a later version of system file to replace the earlier version of the system file, so that the system function can be improved. For example, Windows XP supports only one user for remote logon. Replace the corresponding Window XP file with the remote login file of Windows 2003. This is difficult to implement under the non-SYSTEM permission, but it can be easily implemented under the SYSTEM permission.

Figure 8

Operation: extract the termsrv. dll file from the Windows 2003 system, and then replace the file with the same name under C: \ Windows \ system32 of windows xp. (For Windows XP SP2, files with the same name under the C: \ WINDOWS \ $ NtServicePackUninstall $ and C: \ WINDOWS \ ServicePackFiles \ i386 directories must also be replaced ). Then, you can set the system to allow Windows XP to support remote logon by multiple users.

4. Manual antivirus:

Note: when a user is using a computer, he or she usually uses the Administrator or other Administrator users to log on. After viruses or Trojans are infected, most viruses and Trojans run as Administrator privileges. We usually use anti-virus software to kill viruses after the system is poisoned. If your kill software is paralyzed, or the anti-virus software can only be detected, but it cannot be cleared, then we can only launch the attack in red and manually eliminate the virus. Under the permission of Adinistrator, If you manually scan and kill viruses, you can do nothing about it. Generally, you need to start them in security mode, and sometimes they cannot be cleared even in security mode. If you log on with the SYSTEM permission, virus detection is much easier.

Operation: (taking a manual antivirus as an example, I simulated a manual antivirus attack on a virtual machine some time ago .) Press "Windows Firewall ". Log on to the System with the System permission. The process is successfully completed. Then, the original virus file is deleted, related options in the Registry are cleared, and the virus is completely cleared out of the System. (Figure 10)

Figure 9

Figure 10

Iv. Summary

The System permission is the highest System permission higher than the Administrator permission. It can be used to complete tasks that cannot be completed in many general cases. There are many other applications. My article is just a reference, I hope you can explore more practical skills in practice. Of course, the greatest privilege means a greater danger. It is like holding a "Shang FANG Bao Jian" in your hand. Please do not create any innocent people! During usage, we recommend that you use "System administrator permissions" or "General User Permissions" to grant System permissions only under special circumstances.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.