Search notes:

Sysinternals tool: PsExec / PSExec64

Becoming «NT Authority\System»

With PSExec, it is possible to become NT Authority\System using the -s and -i flags.
-s indicates to run the executable in the System accunt, -i specifies that it interacts with the desktop (that is: it is interactive). 
C:\Users\rene> PsExec64 -s -i cmd 
…
C:\WINDOWS\system32> whoami /user
…
User Name           SID
=================== ========
nt authority\system S-1-5-18

Viewing protected registry keys

The registry keys HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY are protected by the System account (identifiedy by the SID S-1-5-18). Thus, they cannot be examined even by members of the Administrator group.
In order to be able to navigate to these keys, regedit.exe must be started as System. 
PsExec64 -s -i regedit.exe

Do not wait for cmd.exe to be closed

PSExec waits for the remote session to be terminated by default. In order to open a cmd.exe with super privileges and without waiting for it to be terminated, the -d option must be specified: 
C:\Users\rene> PsExec64 -s -d -i cmd

Open a command prompt on a remote machine

A command can be executed on a remote machine. The following command line executes cmd.exe on the computer named compi. Note that the two backslashes in front of a computer name need to be escaped by another backslash, thus totalling in four backslaches: 
PsExec64 \\\\computername -u username -p password cmd

See also

Sysinternals

Links

https://github.com/poweradminllc/PAExec is an open source equivalent to PsExec.

Index