Windows NT service running in LocalSystem account context

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT services run as LocalSystem by default. LocalSystem is a predefined local account and any service running under LocalSystem:

The service can NOT open HKEY_CURRENT_USER .
The service can open HKEY_LOCAL_MACHINE\SECURITY.
The service has no network credentials and can only access network resources using a null session. If a share or pipe is accessible by Guest via a null session, it has access. There is a common misconception that a service running as LocalSystem has no network access.

Services are generally non-interactive, that is they are a console application which runs whenever the operating system is running. If a service opens a command window and runs a script, anyone logged onto the console could press Ctrl+C and terminate the script, leaving the command shell open with LocalSystem permissions. From a security perspective, be cautious with the AutoExNT service which is a service which allows you to run a batch file, Autoexnt.bat, when you boot NT. Srvany is another method to convert an application into a service. Just be aware that the service opens up security exposures if it uses the command shell.

One should review the security context of every service. Any hack which takes control of the service has the access rights of the account the service is running as. Some shops have sql server running as local administrator or even as a domain administrator account. Consider the security implications if one leaves such the sql sa account without a password (Microsoft's default). In that case one gains access to sql with a powerful or very powerful account and using sql shell commands, one can add a local admin account (if sa is running as local admin) or domain admin account (if sa is running as domain admin) using net user and net group

Register Now for Office365 CON - 2017 Online Conference!

Early registration is now open for Office365 CON 2017, the annual online gathering of IT Strategists, Microsoft MVPs and Messaging Technology Vendors. This convenient, annual online event is presented by TechGenix and MSExchange.org for the benefit of busy IT Professionals within the global Office 365 and MS Exchange communities.

Early registrants for this year's conference will also receive a Symantec White Paper: Top 5 SSL/TLS Attack Vectors: How they have impacted IT and how you can avoid them , as well as an invitation to join a special Conference Preview broadcast.

Time and Date: Thursday, March 23, 2017, starting at 10am EDT | 9am CDT | 7am PDT

Newsletter Subscription

WindowsNetworking.com Sections

Featured Freeware

Download Free TFTP Server. The most trusted on the planet by IT Pros

Home
Articles & Tutorials
Building a PowerShell GUI (Part 13)

This article concludes the PowerShell GUI series by demonstrating a technique for changing a virtual machine’s memory allocation by using a GUI interface... Read More

Importance of Service Records (SRV) in an Active Directory Environment

SRV Records, sometimes referred to as Service Records, are required by services such as LDAP, KDC, Global Catalog, KMS and any other applications that registers SRV records to provide services to the clients... Read More

Articles & Tutorials Categories
KBase Tips
How do I list Active Directory Manual Replication Connection Objects?

Tip explains how to get manually created replication connection objects in an Active Directory Forest... Read More

Check Object Replication Status across Active Directory Forest

Tip explains how you can check object replication status Active Directory forest... Read More

Windows Server 2012/2008/2003/2000/XP/NT Administrator Knowledge Base Categories

Reviews
Free Tools
Blogs
Forums
White Papers
Contact Us

Community Area

Windows NT service running in LocalSystem account context

See Also

See Also

Featured Links