When Local Administrator Isn’t Enough

Here’s an interesting problem called in by another tech to me. It seems that the tech was unable to delete some registry keys relating to UPS Worldship. He was logged in as a local administrator. Attempts to delete the keys came back as “Access Denied”. Upon trying to view the owner of said keys it was listed as “unknown”, nor could we take ownership of the keys. The only thing left was to try to run regedit under the local system account.

Microsoft defines the LocalSystem account as the following:

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITYSYSTEM and BUILTINAdministrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .LocalSystem. The name, LocalSystem or ComputerNameLocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored.

Getting regedit to run under local system can be done a number of ways, however, the easier way I found is to use psexec: “psexec -i -s regedit.exe”. Upon doing this, we were able to delete the registry keys.

You can verify that regedit is running under “NT AUTHORITYSYSTEM” by running Process Explorer as administrator, drilling into PSEXESVC and clicking the Security tab.

– Soli Deo Gloria