Search notes:

S-1-5-18 (NT Authority\System)

S-1-5-18 is the well-known SID for the SYSTEM account. This account is sometimes also referred to as Local System.
The SYSTEM account is used by Windows itself and by services that run under Windows.
Because this account is internal, it is not shown in the user manager. However, it is being shown when in a file's property dialog under the Security tab…
The SYSTEM account has full control over all files in an NTFS drive.

Becoming SYSTEM

Some objects, such as the registry keys HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY can only be accessed by SYSTEM.
The following examples show some possibilities that demonstrate how it's possible to become SYSTEM.

Sysinternals/PsExec64

A possibility to become SYSTEM is to use the Sysinternals tool PsExec or PsExec64: 
PsExec64 -s -i cmd.exe

Starting cmd.exe instead of osk.exe

The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Image File Execution Options\progName.exe allows to set a debugger to be started when progName.exe is invoked.
The following change in the registry defines cmd.exe as debugger for osk.exe: 
set-itemProperty "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" -type string  -name Debugger -value "C:\windows\system32\cmd.exe" -force
Github repository about-Windows-Registry, path: /HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/osk.exe-debugger-cmd.exe.ps1
Now, we need to have Windows (i. e. SYSTEM) to start osk.exe. This can be achieved by having the UAC prompt displayed, for example by starting regedit.exe.
When the UAC prompt is shown, the Windows shortcut key Windows + O allows to select On-screen keyboard. This selection starts osk.exe, but since a debugger, cmd.exe is defined for this executable, the debugger, i. e. cmd.exe is started as SYSTEM: 
C:\Windows\System32> whoami
nt authority\system
It must be noted that the registry keys below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options are protected by Defender. So, in order to be able to change the value, the respectice Defender Setting must be disabled under Settings -> Update & Security -> Windows Security -> Virus & Threat protection -> Tamper protection by turning off Real-time protection.

Utilman.exe

Another hack is to replace Utilman.exe with cmd.exe.

See also

S-1-5-18, S-1-5-19 and S-1-5-20

Index