The Windows Security Journey — “Local System” (NT AUTHORITY\SYSTEM)

Local System (NT AUTHORITY\SYSTEM) is a built-in user account (sometimes also called LocalSystem) which is used as a security context by different processes like Windows services (https://medium.com/@boutnaru/windows-services-part-1-5d6c2d25b31c) or scheduled tasks (https://medium.com/@boutnaru/windows-scheduler-tasks-84d14fe733c0).

Overall, this user account has unlimited rights to a specific server/computer. By the way, when accessing a resource over the network (like a network share) with a thread/process holding a “SYSTEM” security context, the computer account is used. The name of the user in that case would be “[COUNTER_NAME]$” (https://www.libe.net/en-local-system).

Moreover, The Local System user is more powerful than the builtin local administrator user. One example of that is that the local Administrator can’t read the content of “KEY_LOCAL_MACHINE\SAM\SAM” while the System user can — as shown in the screenshot below. By the way, that subkey holds the db of the “Security Account Manager” (https://medium.com/@boutnaru/windows-security-sam-security-account-manager-c93ddadf388a).

Lasly, “NT AUTHORITY\SYSTEM” has a specific SID (https://medium.com/@boutnaru/windows-security-sid-security-identifier-d5a27567d4e5) which is relevant for all Windows systems in the world that is “S-1–5–18” — as shown below. Also, an access token (https://medium.com/@boutnaru/windows-security-access-token-81cd00000c64) that belongs to a process with a security context of SYSTEM (for Windows VISTA+) has a mandatory level (https://medium.com/@boutnaru/the-windows-security-journey-mandatory-integrity-control-mic-f7963550c0e7) of system and it contains the “Builtin\Administrators” group- as shown in the screenshot below. We can also see the list of privileges that are part of the token like: “SeDebugPrivilege” and “SeBackupPrivilege”. (https://learn.microsoft.com/en-us/windows/win32/services/localsystem-account).

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.