I was reading today an old article about running CMD.exe as Local System and was glad that I found a way to do it easily. So, I continued reading the documentation from Microsoft about the command
sc create and then, with a big smile on my face, started creating a service for finally running the CMD as Local System on my Windows 7. Yay!
So, I opened a Command Prompt, and ran the command for creating a service that runs in interactive mode CMD.exe as Local System:
sc create TestCMD binpath= "C:\Windows\System32\CMD.exe /K start" DisplayName="CMD Service" type= own type= interact
[SC] CreateService SUCCESS
And then… SURPRISE!
WARNING: The service TestCMD is configured as interactive whose support is being deprecated. The service may not function properly.
Now, obviously, I wanted to start the TestCMD service.
sc start TestCMD
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
I noticed that together with the message above, the “Interactive Services Detection” window popped and a button started blinking in the taskbar.
If the “View the message” button is clicked, then the Command Prompt will be run as Local System. Otherwise, in case the “Ask me later” button will be clicked, the window will just close and that’s that.
Now, in order to clean-up the mess, the TestCMD service has to be deleted and for that, in a Command Prompt let’s type:
sc delete TestCMD
What if I don’t want to interact with the “Interactive Services Detection” window?
I then started wondering why this happened and found a very interesting article which explains the concept of Session 0 Isolation. The idea is that starting with Windows Vista, the services and system processes run in session 0 in order to protect the services from privilege escalation exploitations/hijacking. Therefore, it is self-explanatory why the user logs on to Session 1,2,3 and so on.
More specific information about Session 0 Isolation on Windows 7 can be found here.
After doing some reaseach on this, found out that the only way to achieve running CMD.exe under Local System without getting the “Interactive Services Detection” pop-up would be through the PsExec tool from Microsoft:
psexec -accepteula -s -i cmd.exe
I have extracted the description of each parameter used above from the documentation provided by Microsoft.
-i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session.
-s Run the remote process in the System account.
-accepteula This flag suppresses the display of the license dialog.
I ran the command
whoami in the new Command Prompt window and been showed that CMD was running under Local System.