Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to create process as NT AUTHORITY\LOCAL SERVICE

902 views
Skip to first unread message

Gabor Tyukasz

unread,
Jul 29, 2008, 5:46:17 AM7/29/08
to
Hello,

I have a Windows service application that is running as NT AUTHORITY\SYSTEM.
I'd like to serve some type of client requests using a less privileged
account. Windows XP (and later) has the NT AUTHORITY\LOCAL SERVICE account
which would be perfect for my purposes. Is there any way to obtain a token
handle to that account to be used in CreateProcessAsUser?

(I've tried to call LogonUser several ways to create the token, the best I
achieved was that it had failed with ERROR_ACCESS_DENIED instead of
ERROR_LOGON_FAILURE.)

Thank you,
Gabor

Larry Smith

unread,
Jul 29, 2008, 9:07:29 AM7/29/08
to

Have a look at this:

http://download.microsoft.com/download/0/6/7/0678184e-905e-4783-9511-d4dca1f492b4/cmdasuser.exe

It's an old utility by Keith Brown (well-known Windows security guru),
complete with source (the whole thing's a self-compressed zip file). It's
now obsolete since Microsoft introduced the "RunAs.exe" utility but you can
see how it works In particular, by passing it the command line argument
"localsystem", it will start a command prompt running under the System
account. You should now be able to leverage this to figure out how to do the
same thing under the localservice account. Note that there may be an easier
way (since this code is old now) but the basic security model hasn't really
changed in all these years. I therefore doubt if another way exists but you
may want to exhaust that avenue first. Also make sure there are no hiccups
under Vista given its security changes. Good luck.


Gabor Tyukasz

unread,
Jul 29, 2008, 9:28:03 AM7/29/08
to
Thaks for the tip.

Actually, I have thought of creating a temporary service to call
CreateProcess (cmdasuser does exactly this when requesting localsystem user).
I'm curious if there is a more compact way...

Larry Smith

unread,
Jul 29, 2008, 9:48:03 AM7/29/08
to
> Thaks for the tip.
>
> Actually, I have thought of creating a temporary service to call
> CreateProcess (cmdasuser does exactly this when requesting localsystem
> user).
> I'm curious if there is a more compact way...

Anything's possible but I've never come across one. There's no password for
this account so it seems doubtful that "LogonUser()" can be applied. At
least it makes no mention of this while "CreateService()" specifically does.
It also seems highly doubtful that "LogonUser()" was ever intended for these
special accounts (System, LocalService and NetworkService). I'm not sure why
though. In most respects they're really no different than any other account
(i.e., their tokens are the same as all other tokens). It would also be a
lot easier to work with them rather than relying on a service as you're now
finding out. You may want to try contacting Keith Brown himself or opening
an incident with MSFT. If there's an easier way I'd like to know as well
(but I'd be surprised).


DaveMo

unread,
Aug 1, 2008, 6:18:42 PM8/1/08
to

Another possibility is to dumb down the LocalSystem token using
CreateRestrictedToken. See http://msdn.microsoft.com/en-us/library/aa379316(VS.85).aspx
for more info.

Dave

0 new messages