Methods and Technical Analysis for Running CMD.exe under Local System Account in Windows Systems

Technical Background and Problem Analysis

In Windows system administration and development, there is often a need to simulate the Local System Account environment for testing application behavior or performing specific system operations. The Local System Account possesses the highest system privileges, enabling access to system resources and registry entries that ordinary user accounts cannot reach. However, starting from Windows Vista, Microsoft introduced security mechanisms such as User Account Control, making traditional methods for running interactive applications under the system account more complex.

Limitations of Traditional Methods

Early Windows systems could use the AT command with the /interactive parameter to launch interactive command line windows:

AT 12:00 /interactive cmd.exe

However, in Vista and subsequent versions, this method triggers a security warning stating "due to security enhancements, this task will run at the time excepted but not interactively." This occurs because the /interactive switch has been deprecated, and the system has strengthened security restrictions on interactive service detection.

Another attempt involves creating custom services through the Service Control Manager:

sc create RunCMDAsLSA binpath= "cmd" type=own type=interact
sc start RunCMDAsLSA

This approach typically results in service startup failure, with error code 1053 indicating "The service did not respond to the start or control request in a timely fashion." This happens because interactive services require special session isolation and desktop access permissions, which are strictly restricted in modern Windows systems.

PSTools Solution

The Sysinternals PSTools toolkit provides the psexec command, effectively addressing the need to run CMD.exe under the system account:

psexec -i -s cmd.exe

Here, the -i parameter specifies interactive mode, and the -s parameter indicates execution under the system account. This command works by creating a temporary service through the Windows Service Control Manager, executing the specified program in the system context, and then establishing an interactive connection with the current user session.

Detailed Operational Steps

First, download the PSTools toolkit from the official Microsoft website, then extract it to obtain the psexec.exe executable file. It is recommended to place the tool in the system path or a fixed directory for convenient use.

The execution process involves the following steps:

1. Open Command Prompt with administrator privileges
2. Navigate to the directory containing psexec.exe
3. Execute the command: psexec -i -s cmd.exe
4. The system will briefly display a service installation prompt, then launch a new CMD window
5. In the new window, execute the whoami command to verify the current account, which should display "nt authority\system"

Technical Principle Analysis

The core mechanism of the psexec command involves interacting with the Service Control Manager through remote procedure calls to create a temporary Windows service on the target system. This service runs under the Local System Account and executes the specified command-line program. When using the -i parameter, psexec attempts to redirect the program's input and output to the current user's interactive desktop.

Compared to traditional AT commands, psexec offers the following advantages:

• No need for pre-configured scheduled tasks
• Supports immediate execution without waiting for specific times
• Provides complete interactive session support
• Compatible with modern Windows security architecture

Application Scenarios and Considerations

This technique is primarily applicable in the following scenarios:

• Testing Windows service behavior under system account
• Debugging applications requiring system privileges
• Performing administrative tasks requiring system-level access
• Analyzing differences in system components across different privilege contexts

The following security considerations should be noted during use:

• The system account has highest privileges; operations should be performed cautiously
• Avoid滥用 system privileges in production environments
• Note that network access may be restricted
• Ensure the PSTools version comes from a trusted source

Compatibility and Version Considerations

This method has been tested and verified in Windows Vista, Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008 and subsequent versions. For older Windows XP systems, while the AT command might still be effective, it is recommended to uniformly adopt the PSTools solution to ensure compatibility and security.

It is worth noting that different Windows versions exhibit variations in session isolation and security aspects. In newer Windows 10 and Windows 11 systems, additional configuration or privilege elevation might be necessary to successfully establish interactive sessions.

Conclusion

Running CMD.exe under the Local System Account via the psexec command from PSTools provides system administrators and developers with a reliable and efficient technical solution. This method overcomes the limitations of traditional approaches, adapts to the security requirements of modern Windows systems, while maintaining operational simplicity and practicality. In practical applications, it is advised to reasonably employ this technical solution in conjunction with specific requirements and environmental characteristics.