How to Run Applications in the Local System Account (LSA)

Posted March 17, 2006 by cozofdeath in Windows

This tutorial describes Local System Account (LSA) and details how to run applications within it.


The system account (SID: S-1-5-18) and the administrator account (Administrators group) have the same file privileges, but they have different functions. By the way, the system account is one of many built-in accounts. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example, during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account. Permissions for the system account can be removed, but it is definitely not recommended.

If you did not know what the local system account was, now you do, and you can thank Microsoft for that little explanation. The local system account on NT 3.1 versions and below could also establish remote null sessions because of its credentials, but that was fixed in the 3.5 version of NT. If you would like to find out what services are running in the LSA, go to Start, Run, and type in services.msc. In the main services window, look under Log On As to see what services start as LSA. Double-clicking on a service will reveal its properties. From there, the Log On tab will show you what account that service uses. There are times, however, when you need to change an LSA service to a user account, usually to access a remote resource because you have to present your user credentials. The Allow to interact with desktop checkbox is used if you want to see and be able to interact with that application. Unchecked it would run in the background hidden from the user. Also, any environment changes will need a restart for the LSA account to recognize them because of the way the LSA account gets its environmental settings from services.exe at boot-up time.

You should now be tired of hearing about this, so I will get on with the main point-using the LSA. One easy way to do this is through the AT command. The AT command is the DOS Task Scheduler command. It is defaulted to run in the LSA. For more help on the AT command, type at /? in an MSDOS window for a list of its options. For you wanted to run the registy editor as LSA. You would type “AT 09:15 /interactive regedit.exe” To prove your in the system account, look under the HKEY_LOCAL_MACHINE\SECURITY key, and you should see sub-keys. This is where your LSA Secrets (All local account passwords including system accounts and other info) are stored. More info on LSA Secrets can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;199071

Now, open regedit in your run box, and see if you have anything in the Security key. You should not anymore. Make sure when typing the command, you use a military time format, include the .exe at the end of the filename, and include the /interactive option so that you can see the window. Many Windows operating systems have problems when using the /interactive option. A knowledge-based article can be found here, if you encounter this problem:
http://support.microsoft.com/kb/121562/EN-US/

Another great method is to use a tool called PsExec from Sysinternal, which can be found here:
http://www.sysinternals.com/Utilities/PsExec.html

This tool can be used for running remote apps in the LS account also. It also has some other handy features. By typing Psexec.exe -i -s cmd.exe, you will have run a command prompt on your system in the LSA. You can add a \\remotemachine option before the -i, and it should also work remotely, provided you have enough credentials.

If you know of any other methods, please email me so that I can append them to this tutorial.

The Conversation

Follow the reactions below and share your own thoughts.