25
3
When no one is logged into Windows, (the log in screen is displayed) which user are the current processes running as? (The video/sound drivers, login session, any server software, accessibility controls, etc. They can't be any user or the previous user because no one is logged in. What about processes that have been started by a user but continue to run after logoff? (For example HTTP, FTP servers, and other networking stuff). Do they switch to the SYSTEM account? If a user-started process switches to SYSTEM, that indicates a very serious vulnerability. Does the process run as that user continue to run as that user after they have logged off?
Is this why the SETHC hack allows you to use CMD as SYSTEM?
"Switching users" is actually not a black&white operation on Windows. A service can impersonate multiple users at the same time, and still be using the original account as well. This is useful for services that need to act on behalf of specific users, say authenticated website visitors. – MSalters – 2015-10-05T12:24:00.323
3Windows is multi-user operating system, which means that different processes may belong to different users at the same time. It's not like that once you log in whole computer "switches" to your account. – el.pescado – 2015-10-05T19:07:55.147