Tip: You can run PowerShell as NT AUTHORITY\SYSTEM in interactive mode or as a scheduled task.
Solution 1 : Interactive
|
1 |
Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList '/k C:\SysinternalsSuite\PsExec.exe -i -s powershell.exe' |
Note: PsExec is a tool written by Mark Russinovich (included in the Sysinternals Suite) and can downloaded here.
Solution 2 : Interactive
1) Open cmd.exe as administrator
2) psexec.exe -i -s powershell.exe
Note: PsExec is a tool written by Mark Russinovich (included in the Sysinternals Suite) and can downloaded here.
3) A new shell will open under “NT AUTHORITY\SYSTEM”
Solution 3 : Scheduled task
- Open Task Scheduler (taskschd.msc)
- Create a Basic Task
- Set a trigger (for this demo I choose “One time”)
- Set the start time (Synchronize across time zones = UTC)
- Start a program
- Settings
Program/script:
|
1 2 |
x86 : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe x64 : %SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe |
Add arguments (optional):
|
1 |
–NoProfile –ExecutionPolicy Bypass –File C:\Demo\Get-CurrentUser.ps1 |
Get-CurrentUser.ps1
|
1 2 3 4 5 |
[PSCustomObject]@{ 'env:USERNAME' = $env:USERNAME 'whoami' = whoami.exe 'GetCurrent' = [Security.Principal.WindowsIdentity]::GetCurrent().Name } | Format-List | Out-File -FilePath C:\demo\whoami.txt |
- Check the box “Open the Properties dialog for this task when I click Finish”
- Change user to “SYSTEM” and configure for the OS of this machine (in my case it is Windows 10)
Note: I didn’t checked the box “Run with highest privileges” in this case as not needed but somtimes you could need that enabled.
- If I check the content of C:\demo\whoami.txt, I see that the script successfully ran under the context of NT AUTHORITY\SYSTEM
As we can see, the current user was indeed NT AUTHORITY\SYSTEM (the variable $env:USERNAME will show as “MACHINE$”).
