Running a script in the Windows Local System account

1 minute read

Today I needed to debug a scheduled script and test its behavior when run in the Windows Local System account instead of my regular domain user’s (this was on Windows Server 2016 but should work the same in (much) older versions).

I did a bit of research and found a tool from the PsTools suite on sysinternals called PsExec. It is mainly for executing programs on remote machines and gives you the ability to launch interactive command prompts. Good stuff, even though we only need a tiny portion of its capabilities.

Let’s do it!

Let’s download the tool (2.7 MB zip file, the whole PsTools suite), extract it and then open an elevated cmd prompt.

Navigating to the extraction location of the suite, we can now run:

psexec -i -s cmd.exe

This will give us another cmd prompt, but this time in the context of the Local System. To verify, we run whoami in this prompt and should now see nt authority\system. ✊

Breaking down the options

We don’t specify a remote (as in psexec \\remote) as we want to run it locally. -i will let us run the process (cmd) interactively, and -s stands for the System account. If you like, you can add the -d option to not wait for the process to terminate (without it, the process in the initial prompt will continue until you exit the “remote” one).

To learn more about the options of PsExec, check out this page in the Microsoft docs: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.

Leave a Comment