Understanding Windows Privilege Escalation: NT AUTHORITY\SYSTEM vs TrustedInstaller

By /

Listen to this Post

A lot of people consider `NT AUTHORITY\SYSTEM` privileges to be the Windows equivalent of root, but a far more accurate comparison would be to root on macOS with SIP enabled. Sure, you can do a lot of damage to personal data, but even if you ran something like:

powershell -c 'Remove-Item -Recurse -Force C:\'

It would only delete user data; the system itself would remain intact. You’d need TrustedInstaller privileges to actually start deleting Windows components outright.

You Should Know:

1. Checking Current Privileges

To verify if youā€™re running as `NT AUTHORITY\SYSTEM`:

whoami /priv

Or in PowerShell:



 2. Escalating to TrustedInstaller


To gain TrustedInstaller privileges, use:


sc.exe create TrustedInstaller binPath= "cmd.exe /c start" type= own type= interact
sc.exe start TrustedInstaller



Alternatively, use PSExec from Sysinternals:


psexec -i -s cmd.exe



 3. Bypassing System Protections


Even with SYSTEM, some files are protected. Use TakeOwnership and icacls to override: 


takeown /f C:\Windows\System32\critical.dll /a
icacls C:\Windows\System32\critical.dll /grant Administrators:F



 4. Simulating macOS SIP on Windows


Windows has Windows Resource Protection (WRP), similar to macOS SIP. To disable it (risky!): 


sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows



 5. Encrypting Files Without TrustedInstaller


As mentioned, you donā€™t need high privileges to encrypt files. Example in PowerShell: 


Get-ChildItem C:\Data\ | ForEach-Object { 
$encrypted = "$($<em>.FullName).enc" 
Protect-CmsMessage -To "CN=MyCertificate" -Path $</em>.FullName -OutFile $encrypted 
Remove-Item $_.FullName 
}



 6. Linux Equivalent: Root vs. Protected Directories


On Linux, even as root, some directories (e.g., /boot, /sys) are protected. Use: 


sudo mount -o remount,rw / 



To modify protected files.


 What Undercode Say:


Windows privilege hierarchy is more nuanced than Linux/macOS. `NT AUTHORITY\SYSTEM` is powerful but restricted by TrustedInstaller and WRP. For true system-level modifications, you must bypass these protectionsā€”similar to disabling SIP on macOS or remounting `/` as RW on Linux. Always test in a lab before production systems!


 Expected Output:


 Confirm privileges before executing destructive commands. 



(Note: No external URLs were provided in the original post.)


References:


Reported By: Kenneth Strawn – Hackers Feeds

Extra Hub: Undercode MoN

Basic Verification: Pass āœ…


Join Our Cyber World:


šŸ’¬ Whatsapp | šŸ’¬ TelegramFeatured Image


		
		
			




	




 
 Related Posts: