Note: This blog post is designed to complement the accompanying video embedded at the top of the page. The video provides an in-depth, visual demonstration of the concepts and code discussed here, making it an invaluable resource for learners.
Introduction: Why Run an Executable as SYSTEM?
The SYSTEM account is the most privileged user on a Windows machine, more powerful than even Administrator. Running your code as SYSTEM is a key capability for security researchers, developers working with services, and red teamers exploring privilege escalation.
🔧 The Challenge of Running as SYSTEM
Creating a process as SYSTEM isn’t straightforward. Standard APIs like CreateProcess inherit the token of the calling process, so unless you’re already SYSTEM, it won’t help. Even CreateProcessAsUser demands special privileges. But there’s a better approach: CreateProcessWithTokenW.
Option 1: PsExec – A Quick Solution
Using SysInternals’ PsExec with the -s (SYSTEM) and -i (interactive) options lets you spawn processes in your current session as SYSTEM. This works well, but it’s a black box, and sometimes we want to know exactly what’s going on under the hood.
Option 2: Manual Token Duplication (The Real Deal)
- Find a SYSTEM Process
Use the ToolHelp API to locate processes likelsass.exe, which run as SYSTEM and are not protected in older Windows versions. - Open the Process and its Token
CallOpenProcesswithPROCESS_QUERY_INFORMATION, then useOpenProcessToken. Requires admin privileges. - Duplicate the Token
UseDuplicateTokenExto get a new primary token withTOKEN_ALL_ACCESS. - Launch the New Process
WithCreateProcessWithTokenW, spawn a process like Notepad. It’ll run under SYSTEM and appear in your user session if configured correctly.
❗️ Pitfalls to Avoid
- Protected Processes: Modern Windows versions protect key processes like LSASS and SMSS. You won’t be able to get their tokens.
- Session Context: SYSTEM processes often start in session 0. Use
-ior set up the proper session in code to interact with the process. - Privileges in Tokens: SYSTEM tokens may have different privileges depending on which process they come from.
🧪 Final Result: SYSTEM-Level Execution
If done correctly, your executable (e.g., Notepad) runs as SYSTEM in your session. Inspect it in Process Explorer, check the token, privileges, and confirm you’re operating with full SYSTEM rights.
Limitations and Security Considerations
🔹 Requires Administrator Privileges – Regular users cannot open LSASS’s token.
🔹 Protected Processes – On Windows 11, LSASS is protected, so this method may fail.
🔹 Security Risks – Running arbitrary code as SYSTEM can be exploited by attackers, making this a high-risk technique in security research.
Why This Matters for TrainSec Students
For students in Windows Internals Master and Windows Security Researcher, understanding SYSTEM privilege execution is crucial for:
✅ Malware & Rootkit Analysis – Many malware samples escalate privileges using SYSTEM tokens.
✅ Advanced Debugging & Forensics – SYSTEM access allows researchers to analyze critical processes.
✅ Windows Security Research – Understanding privilege escalation techniques helps build better security defenses.
📌 Want to learn more? Check out Mastering Windows Internals at TrainSec!
$1300
$1040 or $104 X 10 payments
Windows Internals Master
Broadens and deepens your understanding of the inner workings of Windows.
Next Steps: Deepen Your Windows Security Knowledge
If you’re serious about Windows security, debugging, and malware analysis, TrainSec offers:
🔥 Mastering Windows Internals → Advanced Windows security & debugging
🔍 Windows Security Researcher → Reverse-engineering & forensic techniques
🛡️ WinDbg Mastery → In-depth system analysis
Explore the accompanying video for a detailed walkthrough of the code and concepts, and keep experimenting.
For more insights into Windows internals and advanced programming concepts, keep exploring TrainSec’s free Knowledge Library. Stay tuned for more deep dives into topics that empower your technical growth!
Liked the content?
Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.
