TokenSnatcher – Run As System

Run As System

Do you sometimes run into situations where being Administrator just doesn’t cut it?

  • Trying to access hidden registry keys?
  • Trying to remove the godforsaken c:\windows\csc folder?
  • Trying to stop a service just to get access denied?
  • etc. etc. etc.

One obvious solution would be to elevate your own credentials to System credentials. Running a process as System will allow you to do pretty much anything on the system (so take care!).

Most people facing this challenge will revert to PSexec.exe from Microsoft (formerly Sysinternals).

Here at Easy365Manager we have tremendous admiration for Mark Russinovich, the creator of PSexec. Contrary to TokenSnatcher the PSexec tool is very well tested and we highly recommend using that tool whenever possible.

However, PSexec does leave a footprint which includes the installation of a Windows service on your system. In some cases that may not be desired or possible.

Also, maybe you want to be someone other than System? With TokenSnatcher you can become anyone “dumb enough” to run a process on your system!

How Does TokenSnatcher Work?

TokenSnatcher is a pure executable that doesn’t install anything. It uses your Administrator credentials (you must have local system admin rights in order to run it) to scan all processes running on your system.

After scanning the processes TokenSnatcher will present you with a list of all the identities running processes on your system:

TokenSnatcher screenshot

Simply type the number of the process token (the identity) you want to snatch, and TokenSnatcher will spawn a new command prompt running as the selected identity.

To confirm your new identity in the spawned command prompt you can use Whoami /all. In the below output you can see that I chose to copy the token of a process running as System:

c:\>whoami /all


User Name           SID
=================== ========
nt authority\system S-1-5-18


Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384


Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Disabled
SeRelabelPrivilege                        Modify an object label                                             Disabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

As seen in the output the process is now running as System.

Any program you start from the new command prompt will inherit the selected identity. If you e.g. start RegEdit you will now have RegEdit running as system which will reveal hidden registry keys not visible to the local administrator account.

Warning! Privilege Escalation

One thing to notice is that TokenSnatcher will allow you to steal ANY identity (token) running a process on your system. This includes the identities of your fellow administrators:

TokenSnatcher screenshot

On the system where I’m running TokenSnatcher you can see that Jolene is running PowerShell, Joe is running an MMC (in this case AD Users & Computers) and Jill is running a command prompt.

I can now steal their credentials simply (and only) because I am local system administrator (nothing else is required).

Wait!!! Does that mean:

  • Can you steal the identity of a domain admin? YES
  • Can the stolen credentials be used to mess around in Active Directory? YES
  • Can you access other servers remotely using the stolen identity? YES

Oh my … ! Really scary stuff!!!

If you think about it for a few seconds you will understand why you NEVER EVER should allow a lower level administrator to be local system administrator on a system where higher level administrators (or services) are running programs.

This aspect of Windows security is often overlooked!

It takes a lot of thoughtful planning to avoid exposing your admins from identify theft in a large complex network!

FYI, TokenSnatcher only uses standard, publicly available Windows API calls. Creatively? For sure! But no funny stuff or undocumented exploits are going on here.

Technical Deep Dive

If you really would like to dive down into the technicalities of TokenSnatcher, process tokens and security identity inheritance have a look at this video:

The video has a technical walkthrough of the theory behind privilege escalation on the Windows operating system.

After the theory you’ll find a demo of TokenSnatcher. Click here to go directly to the demo.

The information in the video should make nice input for your next security team meeting! 😉

Download TokenSnatcher

Please make sure to read and understand all of the above information before downloading and running TokenSnatcher.

Disclaimer: The software featured in this post is provided as-is. Use entirely at your own discretion.

Download TokenSnatcher

By downloading TokenSnatcher you agree to take full responsibility of any problems related to its use.