How to run commands using SYSTEM account

Published on
8,194 Points
4 Endorsements
Last Modified:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.


This is a process I use whenever I get an "Access Denied" message. One example of this is when I do not have access to SQL Server directly, only administrative rights to the actual server.


1) Download PsExec which is part of the PsTools suite

2) Extract PsTools.zip to a convenient location. I usually copy PsExec.exe to the System32 folder. This allows PsExec.exe to be executed from any folders without specifying the full path.

3) Execute the following command

PsExec.exe -s -i -d CMD.exe

4) From within this new command prompt, everything you open will open as the SYSTEM account.


Viewing NT Secrets

Open Regedit.exe and you will be able to see content of HKEY_LOCAL_MACHINE\SECURITY

  • This allows you to view passwords that were stored as NT Secrets

Opening SQL Server Management Studio as SYSTEM

Open SQL Management Studio and you will be able to log on with SYSTEM

  • This allows you to access SQL without directly having been granted SQL right yet you have administrative rights to SQL Server

You will be able to browse to any folder that only allows SYSTEM account

  • You can export permissions with SetACL/ICACLS to folders that administrators group might have been removed on
  • Kill processes that give error Access Denied when you try to terminate it with normal Administrator rights

WinDirStat/TreeSize etc.

Running something like TreeSize as SYSTEM will actually give you a better view and understanding of what is using space because you will get less access denials

Some others...

  • Simulate GPO start scripts
  • Simulate GPO based MSI installation
  • Diagnose why scheduled tasks that run as SYSTEM don't run as intended
  • Start/stop protected services


Using this process, (or one similar) will allow you to start processes as the SYSTEM account allowing you to access parts of files system, registry and application not accessible with normal Administrative rights.

Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.

It also provides me with positive feedback. Thank you!


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month