2

First off, I wish to clarify that I have been browsing loads of questions regarding the "Local System" account and even though I feel enlightened about the properties of the account, none of them seem to explain my scenario.

I am deploying a service on a Windows Server 2008 of a customer. The machine has already been used for years for printer credits accounting and has an existing accounting system on it. My service is simply to interface with this accounting system.

The issue is that if I install my service as I would and have done on many other systems with the "Log on as: Local System account" in services.msc I get permissions related issues.

First of I've run it from cmd using various accounts "Administrator", "NT Authority\Network Service" and "NT Authority\System". None of them cause any issues. Which is especially odd for the last one.

It gets extra weird when I go into services.msc and switch to "This account", type in "nt authority\system" and suddenly it works perfectly. When I change it back to "Local System account" the issues presents itself again.

It should be noted that the machine is part of a workgroup of some sort and multiple of the print accounting services are running as users of a domain created by my customer. I don't know much more about their auth setup and I really thought I didn't have to.

How can there be a difference between "Log on as: Local System account" and "NT Authority\System"?

Dave M
  • 4,494
  • 21
  • 30
  • 30
Niels Søholm
  • 35
  • 1
  • 7

1 Answers1

4

This article explains it well

They are two different things. The Local System Account should contain the token for NT Authority\System, so that doesn't explain why you're having issues, but there are certainly differences between the accounts. They are not synonymous for each other.

This caveat could explain what you're seeing:

A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account. This has several implications:

•The registry key HKEY_CURRENT_USER is associated with the default user, not the current user. To access another user's profile, impersonate the user, then access HKEY_CURRENT_USER.

•The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.

• The service presents the computer's credentials to remote servers.

•If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions.

MDMarra
  • 100,183
  • 32
  • 195
  • 326