Hi my fellow forum members and spyware hunters,
Thanks to an old trick you can now add far greater power to your hunts for malware by logging on as the SYSTEM account before running your favorite spyware removal tools. Because mentioned account supersedes all user accounts on the system, including that of administrator, this technique will reveal and remove things otherwise not seen. In all other occasions we better use a normal user account. The trick is an old Microsoft NT 4.0 trick.
I wish you a good hunt and put some bite in it,
polonus
How do you log on as a system account?
Hello xistenz,
Good you asked, because it is not the thing you do every day, and it should be restricted to an emergency. So do use this information with care. Here we go:
First, open a command prompt (Start → Run → CMD ) Second, type at 19:30 /interactive cmd.exe ( the time should be in 24 hour format and 2 minutes in the future of the clock on the system ). Wait until the new command window appears and notice that it says “svchost.exe”. You are now logged onto the SYSTEM account.
Right-click on the icon for the program you want
to run and left-click on properties. Highlight the text within
the Target box on the Shortcut tab and pres ctrl-c to
copy. Click back into your svchost.exe window, right-click on
the small icon in the upper left hand corner, then left-click
on Edit and Paste. Something like “C:\Program Files\Spybot -
Search &a Destroy\SpybotSD.exe” should appear. Press
enter and Spybot ( or whatever ) will run; but, with the very
real difference that you will be running it as SYSTEM.
Typing taskmgr will run the task manager;
regedt32 will run the registry editor; though
(rats), for some reason explorer still runs as your user
account. If you know your commands, any of these will also
work and, if you know the explicit entry to run for any of
your programs, you don’t have to use the copy and paste
method. At any rate, I have already seen several
systems which said they were clean when Spybot was run as the
user or the administrator; but, using this trick, several more
items appeared. Use this trick wisely,
kindest regards,
your friend polonus
Thanks for the tip, polonus!
;D
Hi xistenz,
To explain it more in depth:
Here is a step by step guide I put together so other users
could better understand the instructions.
Running Spyware Scans as the system account:
The command "at xx:xx /interactive cmd.exe<enter>" [where the
xx:xx is the time two minutes in the future from the displayed
system time] will open a CMD window labeled svchost.exe at
that time, logged on as the SYSTEM account. From this command
prompt you can launch almost any program by typing or pasting
its full TARGET PATH. Any program selected will run as the
SYSTEM account and, as such, have far greater permissions and
power.
EXAMPLE - To schedule a task or program to run:
1. At the command prompt type: "at 19:30 /interactive cmd.exe"
[without quotes]
It should look like this:
C:\>at 19:30 /interactive cmd.exe
2. Press enter [and directly below this line you should
receive]:
Added a new job ID = 1 (or 2 if there is another command
pending)
It should look like this:
C:\>at 19:30 /interactive cmd.exe
Added a new job ID = 1 (or 2 if there is another command
pending)
3. Close the command prompt and after a couple minutes if you
are using Winpatrol, Scotty will alert you that a new task has
been added. When opening Scheduled Tasks in Win Patrol there
will be an At1 entry identifying the program and scheduled run
time. The command can be removed from Scheduled Tasks by Win
Patrol.
4. Wait until the new command window appears [starts] at the
scheduled time and you will notice that it says
C:\Windows\System32\scvhost.exe at the top and the command
prompt says:
Microsoft Windows XP [Version 5.1.2600]
<C> Copyright 1985-2001 Microsoft Corp.
C:\Windows\system32>
[You are now logged onto the SYSTEM account.]
5. In the Start Menu or right-click on the icon for the
program you want to run and left-click on properties.
6. Highlight the text within the Target box on the Shortcut
tab and press ctrl-c to copy or right-click and select copy.
7. Go back to the svchost.exe window and right-click on the
small prompt icon in the upper left hand corner to the left of
C:\Windows\System32\scvhost.exe.
8. From the drop down box choose EDIT > PASTE [the full target
path] or simply right-click and paste the path next to the
command prompt line C:\Windows\system32>
It should look like this:
C:\Windows\system32>"C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe"
C:\Windows\system32>
9. Press enter and Spybot [or any other selected program] will
run; but, with the difference that you will be running it as
SYSTEM function.
NOTE: Also Typing taskmgr<enter> will run the task manager;
regedt32<enter> will run the registry editor; though for some
reason explorer still runs as your user account.
If you know your commands, any of these will also work and, if
you know the explicit entry to run for any of your programs,
you don't have to use the copy and paste method.
greets,
polonus