running as SYSTEM

[DeepT]

Id like to run a process as user SYSTEM, how do I do this? Also is there any place I can find out the restrictions of what a process as user SYSTEM are? I know there is no output/gui, but beyond that, can it do everything a process running with administraitor privledges can do?

[Jean-Guy2000]

SYSTEM has less access then Administrator. For example SYSTEM cannot read from network resources. Most NT services start under SYSTEM user context unless otherwise specified.

CreateProcessAsUser is a good API to look at if you want to run as SYSTEM in a application running under currently logged in user context.

[DeepT]

Basically I have this app that monitors someones computer and can do certain things like change route maps, force AV software to update, and will display web pages informing the user about various issues.

All this is fine under an account with admin privledges. However some people want to install this app (which can be done under an admin account), but then let it run under a limited user account. The problem is that limited users can not do things like change the registry (HKLM for example), route tables, etc..

So Ill have to split this into two parts. One app that does everything, that runs under system, and another app that presents web pages that will run under the context of the user. I also do not want to do it as a services because Win98/ME are supported and they do not have services. Also services can not read/write to the registry except for HKCU.

I could just tell someone set these up as admin users, but then it would require an admin account for all machiens to be made and some kind of config that would let my app know how to start as an admin. Or something like that.

Any ideas how to get around this problem? I figured that SYSTEM exsits on all systems and doesn't need a password so it could be a easy way to handle the logistics of getting a somewhat privledged process to run for even limited users.

[DeepT]

Ok I have another idea that might work...

Suppose my process is running as an admin, but the current admin guy does *not* have an interactive session, but LocalUser (who is limited does). Is it possible for me to spawn a process (maybe with shell execute) for the limited user so he can see a web page?

If possible then I need to find out the following:
Is *this* user an administrator?
How do I find a user, if any, with an interactive session on this computer?
How do I invoke a process (or show a window) in the interactive context?

[Sef]

SYSTEM has less access then Administrator. For example SYSTEM cannot read from network resources.

Actually, the SYSTEM account has unrestricted access to your entire machine and is also an administrator by definition since it contains the local administrators group in its access token. Moreover, if the machine is part of a Windows domain (on Win2000 and later), then it can also access network resources since each machine has its own domain account no different than any other domain user (in this case the machine's account is "DomainName\MachineName" for the given domain and machine).

[DeepT]

Ok, well I still do not know how to create a process as SYSTEM nor can I find any info on it. I did look up that API call, but I have no idea how to use it to create a process as SYSTEM. Id assume, however, it can not do that since it would seem to me, it would need to be started as SYSTEM during boot and that would be the *only* time you could create a system process.

Does anyone have more info on this?

[DeepT]

I guess a lot of people here do not know much, if anything about creating applications that run under the system account. I have been doing some digging and have found, although it might not entirely be correct:

Services can run under the system account and this is done via the installer for the service.

If anyone knows more about this, id like to know:
Can a service start another process that is a non-service with system privledges?

Can you just a process run as system without it being a service (or started from one) ?

[Sef]

I guess a lot of people here do not know much, if anything about creating applications that run under the system account. I have been doing some digging and have found, although it might not entirely be correct:

Services can run under the system account and this is done via the installer for the service.

If anyone knows more about this, id like to know:
Can a service start another process that is a non-service with system privledges?

Can you just a process run as system without it being a service (or started from one) ?

First of all, I suggest you reconsider Win98 and Win Millenium. MSFT's retired their support for it and even paid support ends at the end of this June. As for the various issues you've raised, I wouldn't hazard to comment too much in this forum. I'm not familiar enough with the details of your application and don't want to steer you in the wrong direction. You really need to do some research on Windows security first. I say this (respectively) because your knowledge is still too limited to proceed based on some of your feedback. For instance, if you have to ask how to determine if someone is an administrator or not then you really need a primer on Windows security in general before trying to tackle a project like this. I guarantee you'll have problems later on if you don't understand the details now (and few people really know this stuff so exercise caution about who you trust). If it's any help (note that I'm a professional developer with 20+ years of C/C++ experience) I can try to answer some specific questions for you subject to the time I have (I'm not here too often). In the meantime, I strongly suggest you get hold of the following book: "Programming Windows Security" by Keith Brown (well-known Windows security guru). It's getting on in years now and may have to be back-ordered but it's still the best source of programming information I've ever seen on Windows security (and touches every one of the issues you've raised). BTW, "CreateService" is what you use to install a service under the SYSTEM account or any other account for that matter. Good luck.