Here is the article on the available ways to logon/scalate to SYSTEM user on XP… Enjoy Logon as “NT AUTHORITY\SYSTEM” user on Windows XP

%% BY EDU %%

[-Introduction-]
Windows XP has basically 2 group of users, the administrators and the users.
Administrators has complete access to all system resources and can make critical
changes to the machine. basically they can do pretty much everything.
Users have restrictions. they cannot make system changes to the machine. they can
only make changes that affect the user itself, not the other users.
By default windows has a user called Administrator. this user is the built-in user
with administrator rights.
Users with administrator´s powers can add other users to the local computer and
decide wether they will be normal users or administrators.
To view the Users and groups present in the local computer open up the Users and
Localgroup manager table. In the ‘RUN’ field in the Start button type:
lusrmgr.msc
Besides these users, Windows XP has 3 main built-in security users.
they are :
NT AUTHORITY\LocalService
NT AUTHORITY\NetworkService
NT AUTHORITY\SYSTEM
the first 2 accounts are used by services. They are restricted accounts. In this article
I will also show a way to logon as these users. The third one
is used by services or local applications/programs and it has administrator powers.
These 3 accounts don´t have a password.
**Notice this article is for Windows XP but I guess it goes well for other NT based systems
such as Windows NT 4.0/2000/2003 **

[-Method 1-]
Very simple and effective. You must have admin powers to perform this.
Open command Prompt (CMD.EXE). type :
time /t
The above command will display the current time. Supposing current time is 22:57 type:
at 22:58 /interactive CMD.EXE
Wait 1 minute. Notice that Command Prompt is lauched. If you look at the Windows title
there is c:\windows\system32\svchost.exe not c:\windows\system32\cmd.exe
Now type CD and see that the current directory is c:\documents and settings\NetworkService
Pressing ctrl+alt+del will pop up the task manager. See there is a process cmd.exe executing as
‘System’. That´s it you can run any application as “NT AUTHORITY\SYSTEM” user by using the AT
command.
Now using the task manager kill the process ‘Explorer.exe’ or using the commmand:
TASKKILL /F /IM Explorer.exe
Notice that all desktop icons as well as task bar and system tray are gone. Now, in the command
Prompt lauched by “NT AUTHORITY\SYSTEM” type EXPLORER.EXE
Everything is back but a bit different. Press the Start Button. See that ‘System’ is written on
the top of the menu. Now run anything you want and see the process in the task manager…
all is being executed as “NT AUTHORITY\SYSTEM” user.
Notice that if the /interactive parameter of the AT command is ommited, the application is lauched
as System but invisible. Yes you can use this to run any file hidden including .BAT files
At the cmd prompt type SET
Look for the ‘userprofile’ variable. It will point to “NT AUTHORITY\NetworkService”
[-Method 2-]
Download an application ‘autoexnt.exe’ from Microsoft website. This is an application that runs as
a Service and executes a script file called ‘autoexnt.bat’ . In this script you may put the commands
you want. Notice that when you install the application using ‘instexnt.exe’ you must use the
interactive parameter for this method to work. Interactive parameter will make the application
interact with the desktop.
After successfully installation of the autoexnt service, edit the file ‘autoexnt.bat’ that must be
located in the system dir by typing :
START CMD
After you login with a valid user account you will see the command prompt window.
Every command or application will be executed as “NT AUTHORITY\SYSTEM” account.
Kill explorer.exe process and then restart it. You will see that the user now is SYSTEM.
On the command prompt type SET
Look for the ‘userprofile’ variable. It will point to “NT AUTHORITY\LocalService”

[-Method 3-]
The well known screen saver method. Open up the Registry Editor (REGEDIT.EXE) and edit the following keys
HKEY_USERS\.DEFAULT\Control Panel\Desktop . In the right side of the screen change the data of
the REG_SZ type value called SCRNSAVE.EXE from login.scr to CMD.exe for example.
do the same thing in the other users keys:
HKEY_USERS\xxxx-xxxxx-xxxx-xxxx\Control Panel\Desktop where xxxx is a combination of letters
and numbers
HKEY_USERS\S-1-5-18\Control Panel\Desktop
HKEY_USERS\S-1-5-19\Control Panel\Desktop
and also to any other key related to an specific user on the computer. the more users on the
computer the more keys will exist in the root key ‘HKEY_USERS’ and therefore you will have to
change the SCRNSAVE.EXE value in those keys too.
If u think the default time to wait for the screensaver to be executed is to high, change the REG_SZ value
‘ScreenSaveTimeOut’ from 600 to whatever u want (except 0) for all users.
Reboot the computer and wait till Command Prompt is launched. Type ‘set’ :
u will see that “userprofile” variable is set to ‘%windir%\system32\config\systemprofile’. (I thought that
user profiles were stored at \documents and settings\ but here´s an exception )
This method is weird. type ‘ctrl+alt+del’, u would expect task manager to launch. no, u re wrong,
u will go back to Logon Screen.
This System user has much more powers than a normal user ( I think in some aspects even more than power users)
and a bit less than administrators.
[Logon as NT AUTHORITY\NetworkService or NT AUTHORITY\LocalService]
Supposing you have autoexnt service installed do what is shown below. otherwise, read ‘method2’ section and
follow the steps shown there :
Open up Regedit.exe and go through HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Auto exnt
Edit the value ‘ObjectName’ by changing it to ‘NT AUTHORITY\NetworkService’ without the quotes.
(alternatively you can change it to NT AUTHORITY\LocalService) and hit enter. Now edit the file
autoexnt.bat located by default at system32 dir and issue :
netcat -v -l -s 127.0.0.1 -p 30 -e cmd.exe
save the changes to the file. If you dont have netcat go grab it and save it in the system32 dir.
Now,If the service has alredy started, stop and restart it by using net stop/start command or via the
services table (services.msc)
go to command prompt and type netstat -an to check if netcat really opened port 30 and bound to
localhost (for security purposes obviously). it will be like this 127.0.0.1:30 state = Listening.
Use netcat or telnet to connect to localhost on port 30 :
netcat -v localhost 30
that´s it. you will be greeted with a command prompt running under NetworkService account, which is restricted.

[- Administrator X NT AUTHORITY\SYSTEM -]
Microsoft claims that by default Administrators have full access to the machine and can do pretty much everything.
WRONG! NT AUTHORITY\SYSTEM user has full access to the machine and some files and registry keys are only accessible
to this user by default, although it is possible for administrators to edit the default policies and files/registry
permitions. Example : login as an administrator and try to browse the following Registry key:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains OR HKEY_LOCAL_MACHINE\SECURITY\Policy
or try to browse this folder C:\SYSTEM VOLUME INFORMATION
Yes an access denied error will happen
ps: To see what´s the current logged on user, use a tool called ‘whoami’ that is available in the windows resource
kit if I am not wrong.

Explore More

Nessus Vulnerability Scanner

Are you Vulnerable? If you don’t have the luxury of building secure software from the start and your business uses off the shelf software to get your work done you

Make your own Hardend Internet Firewall

Make your own “Hardend Internet Firewall” using that forgotton PC in your basement. Yes.. You know the PC I am talking about. We all have them. Remember that $3000 Pentium

Clickjacking technique called “content extraction”

Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim’s cookies without any XSS. Clickjacking attacks have been widely adopted by attackers worldwide on popular websites