User Tools

Site Tools


information-technology:2018-windows-as-localsystem

This project was not a success for me, but I leave it for others just in case it helps give perspective.

Motives

God bless those using Linux. It is unfortunate that I have so much invested in Windows. Many programs and customizations, that even if I'm on someone else's computer I feel like I have one hand tied behind my back. Linux has it's own challenges, since it isn't mainstream. However, with software becoming web based, the challenge is less, and there are workarounds to things like Adobe Flash and Microsoft Silverlight.

I would rather have simplicity than security. So I've been trying to strip away everything that wants to “protect” me from changing anything on my system. In Linux, you have security, but you can work around the security by running as root. In Windows, the system has more rights than an administrator (anything after Windows 98, but worse in the direction from xp to win10). This has use in keeping the masses safe from the spread of viruses. Actually, in my opinion the biggest factor is not viruses. The biggest factor in keeping people safe, where most are lacking in computer literacy, or just technical awareness, is protecting them from being conned into doing stupid things. The downside is that it can make system administration a nightmare.

With my motivation to customize, and to continue using my old hardware with limited system resources (see bloatware), I find security to be a constant pain in the rear. Likewise, I haven't noticed any deficit from doing away with security software, services, windows settings. I also strip out ACL security from the ntfs file system and the windows registry.

This has been a serious time-suck for me. In the big scheme of things, does it really matter? My only defense is that I like doing it, as it keeps my mind off more difficult things. In the same way it does for people that play solitaire.

Rather than forcing Windows 7 to log on as localsystem, it may be better to use WinPE, that logs on as localsystem by default. Unfortunately, WinPE would have to be hacked to do more than it can. Many people do this, but I don't know where to find a comprehensive site for the ins and outs of such a project. WinPE suffers some of the same symptoms I had logging in as localsystem on my full Windows 7 (technically WES7, but I have all functionality).

Logged on as LocalSystem

I've been making a ton of changes to Windows, and I'm trying to figure out everything I did to be running windows under the LocalSystem account. I'm trying to do too much at once, so it can be frustrating to figure out cause and effect for troubleshooting. However, the most important factor, is that I installed a service to run sysinternals psexec command to launch explorer.exe. Below is a reg file that can be imported to the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\_psexec]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):44,00,3a,00,5c,00,73,00,6f,00,66,00,74,00,77,00,61,00,72,00,\
  65,00,5c,00,5f,00,72,00,75,00,6e,00,61,00,62,00,6c,00,65,00,5c,00,70,00,73,\
  00,65,00,78,00,65,00,63,00,5c,00,50,00,73,00,45,00,78,00,65,00,63,00,2e,00,\
  65,00,78,00,65,00,20,00,2d,00,78,00,20,00,2d,00,64,00,20,00,2d,00,73,00,20,\
  00,2d,00,69,00,20,00,2d,00,61,00,63,00,63,00,65,00,70,00,74,00,65,00,75,00,\
  6c,00,61,00,20,00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,\
  00,78,00,65,00,00,00
"DisplayName"="_psexec"
"ObjectName"="LocalSystem"

Which looks like this in regedit:
psexec-service

These registry entries and psexec.exe, and I also disabled “user profile service”.
Actually, I disabled a bunch of services. The only ones I have left running are:
running services

I changed all services to run under the localsystem account. This way, the “network service” and “local service” account registry hives will not be loaded into the registry on boot. You can see that “security accounts manager” is on the way out at next reboot (I don't know if it's needed).

Some services were protected in the registry, so I couldn't change them via the service console (the controls were grayed out). In order to change them at the registry level, I used setacl.exe to strip away security:
setacl -on “hklm” -ot reg -actn setowner -ownr “n:S-1-1-0;s:y” -rec yes
setacl -on “hklm” -ot reg -actn ace -ace “n:s-1-1-0;p:full;s:y;i:so,sc;m:set” -rec yes
This could be made as one command, but I was wary that maybe the ace wouldn't take effect without being owner first?

While I'm using Windows Embedded Standard 7, I don't know if I recommend it. I think you would get better results using nlite? I wouldn't know since I haven't tried both. If I was sufficiently motivated, I would try and see if nlite worked on WES7. Maybe it won't work because the organization of the setup files for WES7 may be different than those of WIN7, if I remember correctly.

Result 20180527

There's actually quite a few ways to log on as system, but they all suck because being logged in as system doesn't include the saving or use of many settings (palemoon kept asking to be default browser over and over). I believe the settings come from usrclass.dat, which includes the ability to use the “open with” functionality. I tried “Hiren Restored”, which has a mini/portable win7, I guess winpe. It only loaded the s-1-1-18, aka DEFAULT profile and SAM, SOFTWARE, HARDWARE, +1.

Ways to log on as localsystem include, disabling the “user profile service” (psexec wasn't even needed). Another way is to rename the “default user” folder and administrator folder while the system is offline. If the “user profile service” can't find the default user folder, it can't create a new administrator account, so it boots as system.

I created junctions from systemprofile to the renamed administrator folder, and switched out DEFAULT with my profile's ntuser.dat. I also made sure all references to administrator were removed in the hives. I was logged in as system, but I still had the issue of “open with”, and even loading usrclass.dat as DEFAULT_Classes didn't improve the situation.

I also created a junction to appdata, right alongside the systemprofile junction, just in case the path was relative to DEFAULT. No luck. I believe usrclass.dat is loaded by the “user profile service”. I even tried doing a name search inside a system file that could have been the “user profile service” itself, via XVI32 and Resource Hacker, but couldn't find anything to hack.

I think my attempt to run all services under the localsystem account ended with a non-booting macbook. I was trying to do away with the localservice and networkservice profiles (this works in XP, but so far doesn't work in Win7). Maybe I didn't try using setacl to clear the registry security? OMG, this is not worth it! I thought this stuff would be easy, and it's become a nightmare.

Trying to consolidate the two profile folders for winxp and wes7 didn't go well either. There doesn't seem to be getting around the name “ntuser.dat”. Seems to be hard coded. I tried moving wes7 ntuser.dat to %homedrive%\administrator\appdata, but that ended up being a mess because usrclass.dat was not able to be loaded, and no one on the internet knows how to load this thing manually, to where it actually adds all the functionality back. I'm going to keep %homedrive%\administrator.wes7\ for its appdata folder and ntuser.dat.

As a side note, I'm still trying to get a USB device to boot on the macbook pro 2,1. Most laptops have the ability to boot from a USB flash drive, but not my macbook (unless it is strictly in the EFI format). I've had to resort to burning and booting from optical media. Easy2boot website still looks interesting but time consuming. Yumi now has efi version… haven't tried any of this yet.

information-technology/2018-windows-as-localsystem.txt · Last modified: 2019/06/06 09:04 by marcos