Run as SYSTEM with PsExec.exe (to be able test Intune Win32App or Scripts)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign hello there in this video we're gonna show how you can run as a system and why would you want to run the system well because of InTune for example run a system and sometimes you maybe package something it works perfect under your local admin account but when you push it through InTune it fails so let me show what I mean with InTune for example if I take one of my packages here and click on it and then go properties you know when you create the package you have the option here to install Behavior you can install a system or user user it will install with the permission as the logged in users if they're not local admin anything on the program files or that require more permission will fail so system always have a lot of permission so that's why it can be good to not have to upload your win32 up to InTune to test you can test already on your local machine system so here I have a task manager open you see I'm logged in as gbn but a lot of tasks are running as system so how can we test to run a system I'm going to use um virtual system to demonstrate this and at the end of this video be sure to not miss that we're gonna do a little hacker thing we're gonna use this to run a system to do something pretty cool so stay to the end okay but for now we want to run a system so I have this virtual machine and I'm actually logged in as a normal user right now and in order to run a system you must be an admin so I just wanted to show this have this goes to the end of the video so this is a user not an admin user a zoom started this user also have Outlook started it have a web page this web page running so let's say this user doesn't log out this is the sales user it just locked his session and now I'm gonna log in with um admin user okay so now we are in with an admin user and we want to run a system so if I would run anything now I would run that with my own credentials I start the CMD I will start it as admin but if I here now type who am I who am I you see I'm assure ad oh here pops up teams and I'm John Burns my users I'm not system so how can I beat system them well we're gonna use uh win internal tool called PSX it's actually a tool used to execute the execute files on remote devices but it can be used to run a system on a local device so we can just do download PS tools and I might have done that already on this device so here we have PS toolsys internals so here we have PS tools it's done by Mark rusinovich it's bought by Microsoft so we can download the whole PS tool Suite we will just need one file I'm gonna take two files but we actually just need one so it's fairly small for Megabyte so if we open here I'm just gonna extract this one extract all I could have been using a seven sip this machine but I use the windows built in so here it's open up in my down download I just want piece exec and psx64 so I'm gonna copy these two and I'm gonna put them somewhere on my system I'll go see let's call it it doesn't matter where you have them as long as you know the path I call it PS tools and I'm gonna paste these two files in here so these are the ones we need to elevate to system this one is 32-bit works good on 64-bit and this one is 64-bit I'm gonna use the 64-bit one so I actually just needed one so I go back here and you see it's important it started as administrator if I didn't start a cmds administrator it won't work so I'll go back to the root and then I called it pistols right so if I do it there here I have my PSX egg and here comes let's um here comes the command I'll run the 64-bit both works so I'm gonna do a dash help just to show which two switches we needed to be system so if I scroll up here we need first we need I it's to run the program so it interact with the desktop because by default a system run as a non-interactive and I'll show that in the task manager so if we open task manager and then we show all the all things here it's a field who is not visible by default so I will have to right click if I select columns there's a column called session ID so if I click on session ID and then sort let's sort all on system so here you see system session ID 0 what does that mean well that means it's not interactive if this one runs something it can't be shown as a window but this one crss run in session one that means it's run as interactive so most system run hidden and that's why we're going to use this Dash I so we can interact with it going to put it in session one so if we run PSX and yes Dash I it's not going to make our system we need one more we need dash s so here it says ROM the remote process in the system account we're gonna run locally so hopefully that explains the dashes so now if we run PSX 64. we do dash i y for interactive because we want it in session id1 we do dash s y because we want to be system what do we want to run well let's start another CMD first time you run you usually have to accept the agreement I probably already done that on this system so now we got another CMD why did we do that well you remember when I typed who am I it showed my Azure AED backslash John brands well now I'm in the authority system so now I have a lot more permission well still admin but there is no this bypass group policy and a lot and again disclaimer be careful when you're in this mode so let's see what can we do here um and what so if I run my package that I wanted to test in in June I can run it from here within this CMD go to my package and run it then it will run a system there are some limitations with the system if you have seen my latest Wing get videos you see that because for example winget.exe if I type that here a system it says it doesn't recognize it but let me start another CMD and this time I run as administrator and I'm gonna do who am I again so if I do who am I I should be the as your ad account who am I yep if I now type winget.except it actually finds it so why didn't it find it in um in system account well it has to do with the path because if I um let's uh if I type set here now I'm in the Azure ad account you see I have a path here so if we look more at that path I can do an echo percent path then we see what that variable path had that path have one value let's see where it is yep the the last one here see you sir John Brent's update the apps and if we go here let's see if I can copy that one do Ctrl C so if we do CD change directory and look what do we have here dear we actually have a wing get here so that means wherever it doesn't matter where I stand here in the directory due to my path I'll pass uh show that one again due to my path it will always look for wind get in this path so first it will look where I stand if it doesn't find it it will go to Windows system 32 you won't find it there either then it will go in Windows blah blah blah all the way to the end and here it will actually find winget if we switch back to our if we switch back to our friend who is a system so if I now look from system if I put who am I hope you can follow me here this one if I check the path I do it also had a variable for path actually also have Windows up here but if we try to go here it will fail so let me copy this one and do CD so this one will fail that's why win get it can't find Wind yet because Windgate is definitely not under system 32 and it's going to go through all the stuff it has in the pattern say hey I can't find it but if we go back to our other I put who am I again uh as your ID we have the Pack you see here that winget is zero kilobyte it's actually not the real winget this is a fi a special file who points to the real one and we can find that out I'm gonna clear the screen now because it's a bit messy with CLS we can find out where this file points to if we use a tool called FS you tell so I'll hit that one just to see what the next command is FSU till then it's called reporce Point re parse point and we hit enter again and here you can either delete delete the reports point or query we want to query and what do we want to query well winget.exe this will not be in the format so easy to read but I think it makes the point so here I'll have to scroll up a bit higher resolution so here we ran and it fined and it's pointing actually to the real file so let's go to see program files Windows app Microsoft desktop install the version number to winget so what this I'll show this file again dear here this wind get here is zero kilobyte but it's just a pointer to the real one so that's why system can't use winget natively but if you have seen my videos we have a way around that we actually give the full path to win get by a script now so when we are in the authority system go to your folder you can even start Powershell you can even type ISC and start and everything that you start from this command prompt run as system so here what's uh something it recovered so this one installed the putty I think yeah so we could run this one and it's going to find winget because we add and you want to exit so it already have the latest but that's not what I wanted to show just to show that when you are a system you can test your script you can test your installation if they work a system then you are ready to upload to InTune so that's a bit about system now we come to the end part that I wanted to show you remember when I was logged in as this sales user who had a lot of dollar sign on the wallpaper let's say we want to go in as that user but we don't know that user's password and again this is hacker I don't recommend you ever do this it's just good to know how powerful the system account is so the user is logged on but disconnected but I don't know that user's password so if I try to log in as this user well I need to know the pin or the password let's say the password I don't know this user's password but I I really would like to go in as this user I know my password and I'm local admin so the I know the user is there what I can do is from a command line where I am started as a user system sorry I can do taskmgare.txe that's going to start a task manager actually I want to close this one because I started this one as a normal user so be sure you don't have any task manager if I start Task Manager as system here I got it then here you have the different users you see you have the sales users here and I have started this task manager again as system if I right click here I don't have to use know the user's password if I just say connect I'm gonna get into that user session and that's the cool thing I told in the beginning of the video so you click connect I don't know the user's password we are in here I don't know if you remember that he was looking at this web page if we look at the wallpaper I'm logged in now as without not knowing his password the sales user just because I was logged in as a system and just to prove that this user can't do the same back because this user is not local admin well first if I run as admin is going to ask say hey you're not admin and you don't know if I just start CMD normal and then go to our PS tools and try to run the PSX sec and I want to run as interactive system what we did last time it's not going to work oh this one have to agree access denied you have to be local admin and you easily see that by saying administrator up here so as an administrator I could do this trick but not as a normal user I think that's super cool I hope you think that as well thank you very much for watching this video see you in another one have a good day

Info

Channel: Intune & Vita Doctrina

Views: 4,453

Rating: undefined out of 5

Keywords: PsTools, PsExec.exe, SYSTEM

Id: E5FsUxoReJ8

Channel Id: undefined

Length: 15min 27sec (927 seconds)

Published: Thu Feb 23 2023