In the ‘good old days’ of Windows 2000 / Windows XP there was this AT.exe command with the /interactive parameter/switch.. if you scheduled a task using
AT 12:34 /interactive cmd.exe
cmd.exe was started by the scheduler windows service and since this service was running under system account, the cmd.exe process was created by local system authority => result, your cmd.exe process was running as system.
Nowadays, with Windows 7 / Windows Vista and UAC and other improvements, the AT /interactive way does no longer work. but (for sake of Christ) there are those SysInternal Tools by the almighty doctor Russinovich. Especially we’re looking at the psexec.exe tool in this post .. So, to run a cmd.exe or any other process as system, just download psexec.exe and call it as follows:
C:\>\Temp\SysinternalsSuite\PsExec.exe -i -d -s cmd.exe
PsExec v1.98 – Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals – www.sysinternals.comcmd.exe started on CONWKS100 with process ID 5220.
In the opened cmd.exe type:
C:\Windows\system32>whoami
nt authority\systemC:\Windows\system32>
and you’ll see, you’re ‘the god of your system’ and you have all privileges.
Links
SysInternals psexec.exe can be downloaded here