What Windows account is used when no one is logged in?

25

3

When no one is logged into Windows, (the log in screen is displayed) which user are the current processes running as? (The video/sound drivers, login session, any server software, accessibility controls, etc. They can't be any user or the previous user because no one is logged in. What about processes that have been started by a user but continue to run after logoff? (For example HTTP, FTP servers, and other networking stuff). Do they switch to the SYSTEM account? If a user-started process switches to SYSTEM, that indicates a very serious vulnerability. Does the process run as that user continue to run as that user after they have logged off?

Is this why the SETHC hack allows you to use CMD as SYSTEM?

Kunal Chopra

Posted 2015-10-04T16:39:20.793

Reputation: 569

"Switching users" is actually not a black&white operation on Windows. A service can impersonate multiple users at the same time, and still be using the original account as well. This is useful for services that need to act on behalf of specific users, say authenticated website visitors. – MSalters – 2015-10-05T12:24:00.323

3Windows is multi-user operating system, which means that different processes may belong to different users at the same time. It's not like that once you log in whole computer "switches" to your account. – el.pescado – 2015-10-05T19:07:55.147

Answers

40

When no one is logged into Windows, (the log in screen is displayed) which user are the current processes running as? (The video/sound drivers, login session, any server software, accessibility controls, etc.

Almost all drivers run in kernel mode; they do not need an account, unless they start userspace processes. The few user-space drivers run under SYSTEM.

The login session, I can't check right now, but I'm sure it uses SYSTEM as well. You can see logonui.exe in Process Hacker or SysInternals ProcExp. In fact, you can see everything that way.

"Server software", see Windows services below.

What about processes that have been started by a user but continue to run after logoff? (For example HTTP, FTP servers, and other networking stuff). Do they switch to the SYSTEM account?

There are three kinds here:

  1. Plain old "background" processes. Those run under the same account as whoever started them, and do not run after logoff. The logoff process kills them all.

    "HTTP, FTP servers, and other networking stuff" do not run as regular background processes. They run as services.

  2. Windows "service" processes. Those are not launched directly, but via Service Manager. By default services run as LocalSystem (which isanae says equals SYSTEM), though they can have dedicated accounts configured.

    (Of course, practically nobody bothers. They just install XAMPP or WampServer or some other crap, and let it run as SYSTEM, forever unpatched.)

    On recent Windows systems, I think services can also have their own SIDs, but again I haven't researched this much yet.

  3. Scheduled tasks. These are launched by the "Task Scheduler" service "in background", and always run under the account configured in the task (usually whoever created the task).

If a user-started process switches to SYSTEM, that indicates a very serious vulnerability

It's not a vulnerability because you must already have Administrator privileges to install a service. Having Administrator privileges already lets you do practically everything.

(see also various other non-vulnerabilities of the same kind)

user1686

Posted 2015-10-04T16:39:20.793

Reputation: 283 655

4SYSTEM and LocalSystem both represent the same account with SID S-1-5-18. – isanae – 2015-10-05T03:50:08.760

2

It might be worth noting that much of IIS runs under lower privileged accounts created specifically for IIS processes out of the box. (This would cover many Windows HTTP, FTP, etc. servers.) See here for some details. So it often depends on the defaults of whatever program you're using.

– jpmc26 – 2015-10-05T04:05:40.813

1SYSTEM and Local Administrator are essentially one and the same. Once you have one, you can get the other, and the OS only puts up roadblocks meant primarily to prevent mistakes. (Note: The Old New Thing is not official Microsoft documentation.) – a CVn – 2015-10-05T08:42:05.337

1It should be noted that there are several different system accounts with varying privileges -- for example with and without network access. – Simon Richter – 2015-10-05T10:43:31.313

1

Services can use any user account that has the Log on as a service permission. Normally the service will run in a separate session and can't interact with the GUI, even if the same user is also logged in interactively. For simplified service creation/settings, nssm is quite handy, if anyone wants to play around.

– Josef says Reinstate Monica – 2015-10-05T14:18:46.263

3These days many services run as NetworkService or LocalService, not LocalSystem. – Ben Voigt – 2015-10-05T17:29:39.687

2

Starting with Windows 7 and 2008 R2, Managed Service Accounts and Virtual Accounts allow for running services under their own identities, so you don't have a bunch of services sharing LocalService/NetworkService/LocalSystem, limiting access if one service has a vulnerability.

– afrazier – 2015-10-06T13:01:17.187

2

Login and pre-login processes all run as SYSTEM (also called LocalSystem). In fact, one way to get a shell (such as a CMD prompt) running as SYSTEM on some Windows versions is to replace an accessibility program, such as the screen reader, magnifier, or on-screen keyboard, with a copy of (or link to) CMD.EXE, and then use the shortcut to enable that accessibility feature before logging in. You will get a command prompt, even though there aren't any users logged in, and CMD will be running as SYSTEM.

(Note: this is dangerous, obviously, since it lets people bypass the Windows login process. You should never configure a computer this way and then leave it like that.)

CBHacking

Posted 2015-10-04T16:39:20.793

Reputation: 5 045

1Works on Windows 7, replaced sethc.exe with cmd.exe in C:\Windows\System32\ – None – 2015-10-09T18:42:59.857

1

They don't "switch" to anything; such processes never run under the current user context.
They are owned by the SYSTEM user.

Any processes and services owned by an individual user are terminated on log-out.
That's what logging out means.

Lightness Races with Monica

Posted 2015-10-04T16:39:20.793

Reputation: 3 006

I'm not sure... Firstly, I found an MS Technet post where (not like this means much) a staff accepted answer stated that services are not terminated on logout. I'm not sure this is an accurate definition of logout more generally either: I saw several daemons on Linux stay around after I log out one user then ps as another – underscore_d – 2015-10-05T13:26:42.427

1That's not correct. Services can be started as another user and they will start and continue to run without that user "logged in". They will start their own session with that users credentials, so actually the user will be logged in while the service runs, but the desktop/autostart programs etc. wont be run, and that is what normal users understand as "logged in". Still the service will run with that user credentials and has access to that users files. – Josef says Reinstate Monica – 2015-10-05T14:12:27.737

@Josef: Your argument appears to boil down to "some people misuse the term 'logged in'". The actual meat of your comment agrees with my answer: that user is deemed logged in for as long as they have services/processes running against their account. – Lightness Races with Monica – 2015-10-05T14:15:55.370

@LightnessRacesinOrbit no, there is a actual difference. If you create a service with your account and that is run at boot, there won't be any process started for you to show the desktop, (so no dwm.exe or explorer.exe running), all your autostart programs won't be running etc. So if you have a interactive login session, a lot more things are active than if only service session is running. What exactly is "logged in" is open to debate. Even if a service runs with your credentials, you still have to log in to use Windows yourself! – Josef says Reinstate Monica – 2015-10-05T14:26:02.743

@Josef I don't see the relevance of the desktop or of autostart programs. Those are a red herring, no? Nobody said that specific, particular processes had to be running for you to be deemed logged in! I'll agree that we are probably just mincing words over what "logged in" means but, in that spirit, I stand by my answer. – Lightness Races with Monica – 2015-10-05T14:31:54.930

1Well, "such processes never run under the current user context" is still wrong. Services run under the user context set for them. For builtin windows services, that is one of the system accounts. For other services, it can be any account. Especially server software should create a new user account and run wit that credentials. – Josef says Reinstate Monica – 2015-10-05T14:58:25.390

@Joesf: "For builtin windows services, that is one of the system accounts." Contradiction. The system is not a user. But SYSTEM is a "user". Again, we meet only terminology differences. :) – Lightness Races with Monica – 2015-10-05T15:07:24.807

@Josef: It's true, that services never run under the interactive user context. Even if they are started using the same user credentials, they are in a different session. – Ben Voigt – 2015-10-05T17:31:05.827

I'm afraid @Josef has hit the nail on the head, and it's not a matter of semantics. The SYSTEM user is a specific user, and services are regularly configured to run as a user other than SYSTEM. A quick scan of any Windows machine's list of services will reveal "Local Service" and "Network Service" accounts in use. Additionally, as I noted on the other answer, IIS runs plenty of other processes with users created expressly for the purpose; this includes some of the specific functions the OP asked about. No matter how you slice it, the idea that all services run under SYSTEM is flat wrong. – jpmc26 – 2015-10-05T21:54:42.803

@jpmc26: Oh I certainly won't vehemently defend that particular claim. I'm more than happy to admit that I quietly relate to all those other system "accounts" when I say SYSTEM. – Lightness Races with Monica – 2015-10-05T22:05:21.033

But the are not SYSTEM accounts. If I create a service for my webserver and it runs with the account "Mr. Webserver", what makes "Mr. Webserver" a system account? What if I run the service with my user called "Josef", the same user I use to work on the machine? Would you call that SYSTEM user? – Josef says Reinstate Monica – 2015-10-06T11:36:50.197

@Josef: Yeah, as I said in my previous comment, I concede that point. – Lightness Races with Monica – 2015-10-06T13:28:26.677

Asked: 2015-10-04T16:39:20.793

Viewed: 6 707 times

Active: 2015-10-05T10:35:38.530