Despite how cool it sounds “Ya! Running as the highest privileged user on the system!”, I can count on my hands how often I’ve ever had to run a Powershell or CMD prompt as system. Even then, it was to just clear credential manager or something quick. Regardless of why, here is how you can go about getting a ‘NTAuthority\System’ prompt:
1. Most common, download PSExec:
Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList '/k C:\SysinternalsSuite\PsExec.exe -i -s powershell.exe'
NOTE: This assumes you have the psexec executable in the ‘c:\sysinternalssuite’ directory. This will give you an interactive SYSTEM prompt.
2. If you want to use the ‘all native’ route, you can use task scheduler to run a script as system:
Open Task Scheduler (taskschd.msc)
Create a Basic Task
Set a trigger (for example, ‘One time’)
Set the start time (Synchronize across time zones = UTC)
Start a program
Add arguments (optional):
–NoProfile –ExecutionPolicy Bypass –File C:\Demo\Get-CurrentUser.ps1
'env:USERNAME' = $env:USERNAME
'whoami' = whoami.exe
'GetCurrent' = [Security.Principal.WindowsIdentity]::GetCurrent().Name
} | Format-List | Out-File -FilePath C:\demo\whoami.txt
Check the box ‘Open the Properties dialog for this task when I click Finish’
Change user to SYSTEM and configure for the OS of this machine (in my case it is Windows 10)
Note: I didn’t checked the box “Run with highest privileges” in this case as not needed but sometimes you could need that enabled.
After it runs:
If I check the content of C:\demo\whoami.txt, I see that the script successfully ran under the context of NT AUTHORITY\SYSTEM
As we can see, the current user was indeed NT AUTHORITY\SYSTEM (the variable $env:USERNAME will show as “MACHINE$”).