Characteristics of Windows SYSTEM account & logging its activities

https://support.microsoft.com/en-sg/help/120929/how-the-system-account-is-used-in-windows
SCCM and some Windows management tools make use of Windows SYSTEM account mentioned above.

Q1:
Is it considered an interactive or non-interactive account since it has no user profile (unlike administrator)?

Q2:
Can we set a password to SYSTEM ?  Or it has an unknown password?

Q3:
When using the tools (possibly psexec & SCCM) to get to command prompt of the managed endpoint,
are the activities (ie when the command prompt is spawned, mappings of drive using 'net use ...'  or
sharing of drive using 'net share ...' being logged in Windows event viewer logs ?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
Q1: The SYSTEM account is essentially the account tied to the computer object in Active Directory. It's not possible to log in to a computer using the system account, but the system account is capable of running services, connecting to network services, and the like. It would be considered Non-Interactive.

Q2: Each computer's SYSTEM account has a randomly generated hash value used to authenticate it against Active Directory. This password is changed randomly, usually once in a period below 30 days. The SYSTEM account cannot be used to log in to anything interactively, but can be used as a security context if needed.

Q3: The event viewer should log these things, but may not log the user that initiated the command if done using the system account's context.
1
sunhuxAuthor Commented:
I read some links that there's SYSTEM for AD as well as local SYSTEM account on the
local PC's Windows : I'm referring to SYSTEm for local SYSTEM.

> Q3: The event viewer should log these things, but may not log the user that initiated the command if done using the system account's context.
Each time SCCM or the management tool spawn a command prompt to the remote PC, is this spawning captured/logged in
the Event Viewer logs?
0
sunhuxAuthor Commented:
If there's an Event, what does it look like or what's its Event Id when spawning
& also what's the event log/event id  when using SYSTEM to share/map a drive?
0
btanExec ConsultantCommented:
1. Non-interactive as advised by expert. SYSTEM is a service account, and therefore does not have a user profile. Specifically it refers to Local System account which appears as DOMAIN\<computer name>$ on the network and NT AUTHORITY\System locally. It is is a predefined local account. This powerful account has full access to the local computer, including directory services when used on domain controllers.

2. No. The account is not associated with any logged-on user account. This account does not have a password. Specifically, if you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

3. Not by default. But you may try Command line process auditing. That said, Audit Process Creation auditing need to be enabled, you will see event ID 4688.
Security ID:  The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID: A semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
This security policy setting determines whether the OS generates audit events when a process is created (starts) and the name of the program or user that created it. Since it tells you who ran the program and the ID of their logon session, then you can correlate backwards to the logon event.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.