Characteristics of Windows SYSTEM account & logging its activities

https://support.microsoft.com/en-sg/help/120929/how-the-system-account-is-used-in-windows
SCCM and some Windows management tools make use of Windows SYSTEM account mentioned above.

Q1:
Is it considered an interactive or non-interactive account since it has no user profile (unlike administrator)?

Q2:
Can we set a password to SYSTEM ?  Or it has an unknown password?

Q3:
When using the tools (possibly psexec & SCCM) to get to command prompt of the managed endpoint,
are the activities (ie when the command prompt is spawned, mappings of drive using 'net use ...'  or
sharing of drive using 'net share ...' being logged in Windows event viewer logs ?
sunhuxAsked:
Who is Participating?
 
btanExec ConsultantCommented:
1. Non-interactive as advised by expert. SYSTEM is a service account, and therefore does not have a user profile. Specifically it refers to Local System account which appears as DOMAIN\<computer name>$ on the network and NT AUTHORITY\System locally. It is is a predefined local account. This powerful account has full access to the local computer, including directory services when used on domain controllers.

2. No. The account is not associated with any logged-on user account. This account does not have a password. Specifically, if you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

3. Not by default. But you may try Command line process auditing. That said, Audit Process Creation auditing need to be enabled, you will see event ID 4688.
Security ID:  The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID: A semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
This security policy setting determines whether the OS generates audit events when a process is created (starts) and the name of the program or user that created it. Since it tells you who ran the program and the ID of their logon session, then you can correlate backwards to the logon event.
1
 
Adam BrownSr Solutions ArchitectCommented:
Q1: The SYSTEM account is essentially the account tied to the computer object in Active Directory. It's not possible to log in to a computer using the system account, but the system account is capable of running services, connecting to network services, and the like. It would be considered Non-Interactive.

Q2: Each computer's SYSTEM account has a randomly generated hash value used to authenticate it against Active Directory. This password is changed randomly, usually once in a period below 30 days. The SYSTEM account cannot be used to log in to anything interactively, but can be used as a security context if needed.

Q3: The event viewer should log these things, but may not log the user that initiated the command if done using the system account's context.
1
 
sunhuxAuthor Commented:
I read some links that there's SYSTEM for AD as well as local SYSTEM account on the
local PC's Windows : I'm referring to SYSTEm for local SYSTEM.

> Q3: The event viewer should log these things, but may not log the user that initiated the command if done using the system account's context.
Each time SCCM or the management tool spawn a command prompt to the remote PC, is this spawning captured/logged in
the Event Viewer logs?
0
 
sunhuxAuthor Commented:
If there's an Event, what does it look like or what's its Event Id when spawning
& also what's the event log/event id  when using SYSTEM to share/map a drive?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.