Shulou(Shulou.com)06/02 Report--

Local System is the account run by the core components of Windows. It is a special account built into the system and cannot be managed in "local users and groups". Local System has higher privileges than Administrator and is the running account for session Manager (Smss.exe), Windows Subsystem (Csrss.exe), and Local Security Authorization Subsystem (Lsass.exe).

The Local System account loads the default user's profile, which is HKEY_USERS\ .DEFAULT. The saved configuration file and default file are located in C:\ Users\ Default.

Using the PsExec.exe program, you can run the program as a system user. The program is now included in the PSTools toolset.

PsExec.exe also has a 64-bit version.

1. Run powershell as an administrator (or you can run cmd.exe, which is the same in both cases), and go to the directory where PsExec is located.

two。 Run PsExec-I-s cmd.exe to run the cmd program as the system user. The-s parameter here is mainly used to run the program as system, while the-I parameter is mainly used to display the interface of the running program. Without this parameter, the running program can only run in the background and cannot be operated on.

Note: commands may vary from version to version of PsExec.exe program. The following parameters may be different. When selecting parameters, we should pay attention to the interpretation of two parameters, one is:

Run the program so that it interacts with the desktop of the

Specified session on the remote system. If no session is

Specified the process runs in the console session.

One is:

Run the remote process in the System account.

3. Press win + r key to open the "run" dialog box (you can also operate in the search box), enter "cmd.exe" and press "OK" to open the cmd program.

4. Run whoami in two cmd.exe programs to know in what capacity the program is running. This is shown in two cmd.exe programs in the following figure. You can see the "user name" column of two cmd.exe programs in the Task Manager, one as "paitouxi" and the other as "SYSTEM" running the program.

5. Programs that are opened in cmd.exe running as system are run as system. Programs that are opened in cmd.exe running as an administrator run as an administrator and do not pop up the user account Control dialog box. Enter "regedit.msc" in each cmd.exe to open the Registry Editor (note: enter it in c:\ Windows\ System32, otherwise it may display: 'regedit.msc' is not an internal or external command, that is, the program cannot be found). You can also run PsExec.exe-I-s regedit.msc directly in powershell to run the Registry Editor as system. Because the Registry Editor cannot have several processes at the same time as cmd.exe, you must close it and run it as another after running it as one. Let's take a look at the contents of the registry key HKEY_LOCAL_MACHINE\ SAM\ SAM as an example to see the difference between the two types of users running. The following figure shows the contents of the subkeys under HKEY_LOCAL_MACHINE\ SAM\ SAM when the Registry Editor is opened, respectively. You can see that the administrator does not have permission to view the contents of the subkey of the registry key.

(1) Open the Registry Editor as an administrator.

(2) as system, open the Registry Editor.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.