Windows NT service running in LocalSystem account context


Windows NT services run as LocalSystem by default. LocalSystem is a predefined
local account and any service running under LocalSystem:



  • The service can NOT open HKEY_CURRENT_USER .
  • The service can open HKEY_LOCAL_MACHINE\SECURITY.
  • The service has no network credentials and can only access network resources
    using a null session. If a share or pipe is accessible by Guest via a null
    session, it has access. There is a common misconception that a service running
    as LocalSystem has no network access.
Services are generally
non-interactive, that is they are a console application which runs whenever the
operating system is running. If a service opens a command window and runs a
script, anyone logged onto the console could press Ctrl+C and terminate the
script, leaving the command shell open with LocalSystem permissions. From a
security perspective, be cautious with the AutoExNT service which is a service which
allows you to run a batch file, Autoexnt.bat, when you boot NT. Srvany is
another method to convert an application into a service. Just be aware that the
service opens up security exposures if it uses the command shell.

One should review the security context of every service. Any hack which takes
control of the service has the access rights of the account the service is
running as. Some shops have sql server running as local administrator or even as
a domain administrator account. Consider the security implications if one leaves
such the sql sa account without a password (Microsoft’s default). In that case
one gains access to sql with a powerful or very powerful account and using sql
shell commands, one can add a local admin account (if sa is running as local
admin) or domain admin account (if sa is running as domain admin) using net user and net group

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top