Put some bite in your spyware hunt

Hi my fellow forum members and spyware hunters,

Thanks to an old trick you can now add far greater power to your hunts for malware by logging on as the SYSTEM account before running your favorite spyware removal tools. Because mentioned account supersedes all user accounts on the system, including that of administrator, this technique will reveal and remove things otherwise not seen. In all other occasions we better use a normal user account. The trick is an old Microsoft NT 4.0 trick.

I wish you a good hunt and put some bite in it,

polonus

How do you log on as a system account?

Hello xistenz,

Good you asked, because it is not the thing you do every day, and it should be restricted to an emergency. So do use this information with care. Here we go:
First, open a command prompt (Start → Run → CMD ) Second, type at 19:30 /interactive cmd.exe ( the time should be in 24 hour format and 2 minutes in the future of the clock on the system ). Wait until the new command window appears and notice that it says “svchost.exe”. You are now logged onto the SYSTEM account.
Right-click on the icon for the program you want
to run and left-click on properties. Highlight the text within
the Target box on the Shortcut tab and pres ctrl-c to
copy. Click back into your svchost.exe window, right-click on
the small icon in the upper left hand corner, then left-click
on Edit and Paste. Something like “C:\Program Files\Spybot -
Search &a Destroy\SpybotSD.exe” should appear. Press
enter and Spybot ( or whatever ) will run; but, with the very
real difference that you will be running it as SYSTEM.
Typing taskmgr will run the task manager;
regedt32 will run the registry editor; though
(rats), for some reason explorer still runs as your user
account. If you know your commands, any of these will also
work and, if you know the explicit entry to run for any of
your programs, you don’t have to use the copy and paste
method. At any rate, I have already seen several
systems which said they were clean when Spybot was run as the
user or the administrator; but, using this trick, several more
items appeared. Use this trick wisely,

kindest regards,

your friend polonus

Thanks for the tip, polonus! :wink: ;D

Hi xistenz,

To explain it more in depth:

              Here is a step by step guide I put together so other users 
              could better understand the instructions. 

              Running Spyware Scans as the system account: 

              The command "at xx:xx /interactive cmd.exe<enter>" [where the 
              xx:xx is the time two minutes in the future from the displayed 
              system time] will open a CMD window labeled svchost.exe at 
              that time, logged on as the SYSTEM account. From this command 
              prompt you can launch almost any program by typing or pasting 
              its full TARGET PATH. Any program selected will run as the 
              SYSTEM account and, as such, have far greater permissions and 
              power. 

              EXAMPLE - To schedule a task or program to run: 

              1. At the command prompt type: "at 19:30 /interactive cmd.exe" 
              [without quotes] 

              It should look like this: 

              C:\>at 19:30 /interactive cmd.exe 

              2. Press enter [and directly below this line you should 
              receive]: 
              Added a new job ID = 1 (or 2 if there is another command 
              pending) 

              It should look like this: 

              C:\>at 19:30 /interactive cmd.exe 
              Added a new job ID = 1 (or 2 if there is another command 
              pending) 

              3. Close the command prompt and after a couple minutes if you 
              are using Winpatrol, Scotty will alert you that a new task has 
              been added. When opening Scheduled Tasks in Win Patrol there 
              will be an At1 entry identifying the program and scheduled run 
              time. The command can be removed from Scheduled Tasks by Win 
              Patrol. 

              4. Wait until the new command window appears [starts] at the 
              scheduled time and you will notice that it says 
              C:\Windows\System32\scvhost.exe at the top and the command 
              prompt says: 

              Microsoft Windows XP [Version 5.1.2600] 
              <C> Copyright 1985-2001 Microsoft Corp. 

              C:\Windows\system32> 

              [You are now logged onto the SYSTEM account.] 

              5. In the Start Menu or right-click on the icon for the 
              program you want to run and left-click on properties. 

              6. Highlight the text within the Target box on the Shortcut 
              tab and press ctrl-c to copy or right-click and select copy. 

              7. Go back to the svchost.exe window and right-click on the 
              small prompt icon in the upper left hand corner to the left of 
              C:\Windows\System32\scvhost.exe. 

              8. From the drop down box choose EDIT > PASTE [the full target 
              path] or simply right-click and paste the path next to the 
              command prompt line C:\Windows\system32> 

              It should look like this: 

              C:\Windows\system32>"C:\Program Files\Spybot - Search & 
              Destroy\SpybotSD.exe" 

              C:\Windows\system32> 

              9. Press enter and Spybot [or any other selected program] will 
              run; but, with the difference that you will be running it as 
              SYSTEM function. 

              NOTE: Also Typing taskmgr<enter> will run the task manager; 
              regedt32<enter> will run the registry editor; though for some 
              reason explorer still runs as your user account. 

              If you know your commands, any of these will also work and, if 
              you know the explicit entry to run for any of your programs, 
              you don't have to use the copy and paste method. 

greets,

polonus