Spyware Hunters, Put Some Teeth In Your Attacks!
Thanks to a very old trick I found in Microsoft's knowledgebase for Windows NT 4, you can now add far greater power and effectiveness to your hunts for malware by logging on as the SYSTEM account before running your favorite spyware removal tools. Because the account supercedes all user accounts on the system, including the administrator, this technique will reveal and remove things that otherwise would not be seen.

First, open a command prompt ( Start -> Run -> CMD<enter> )
Second, type at 19:30 /interactive cmd.exe<enter> ( the time should be in 24 hour format and 2 minutes in the future of the clock on the system )
Wait until the new command window appears and notice that it says "svchost.exe". You are now logged onto the SYSTEM account.
Right-click on the icon for the program you want to run and left-click on properties. Highlight the text within the Target box on the Shortcut tab and pres ctrl-c to copy.Click back into your svchost.exe window, right-click on the small icon in the upper left hand corner, then left-click on Edit and Paste. Something like "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" should appear.
Press enter and Spybot ( or whatever ) will run; but, with the very real difference that you will be running it as SYSTEM.
Typing taskmgr<enter> will run the task manager; regedt32<enter> will run the registry editor; though (rats), for some reason explorer still runs as your user account. If you know your commands, any of these will also work and, if you know the explicit entry to run for any of your programs, you don't have to use the copy and paste method.

At any rate, I have already seen several systems which said they were clean when Spybot was run as the user or the administrator; but, using this trick, several more items appeared.

Hi davismccarn,

Thanks for sharing this with us. Your post/thread have just been "stickied."


Best regards

Cooool!!!!!!!!

What's the difference between system and admin account? (In simple terms )

The system account an internal account [that does not show up] and is used by the OS system and by services that run under Windows.

See details here:
http://support.microsoft.com/kb/120929
http://support.microsoft.com/kb/q132679/

The Administrator account is a member of the Administrators group and it is the one you use when first setting up a workstation or member server. It is used to create an account for yourself.

DickT - Just the Facts

"THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"

MODUS OPERANDIS: "Knowledge and the ability to use it is the best defensive tool anyone could have. An uninformed user can be his or her own worst enemy."

Thanks for that - I've learned something new

Nice tip! And since XP is based on the XP core, it works nicely in XP too. WinMe/98/98SE/95 may be a different story.

Be sure you type exit at the command prompt to close those windows (you don't have to wait for the SpyBot to complete).

_________________
Bill, AFE7Ret
Freedom is NOT Free!

Here is a step by step guide I put together so other users could better understand davismccarn's instructions. He already looked it over in another post but I forgot where we were discussing this.

Running Spyware Scans as the system account:

The command "at xx:xx /interactive cmd.exe<enter>" [where the xx:xx is the time two minutes in the future from the displayed system time] will open a CMD window labeled svchost.exe at that time, logged on as the SYSTEM account. From this command prompt you can launch almost any program by typing or pasting its full TARGET PATH. Any program selected will run as the SYSTEM account and, as such, have far greater permissions and power.

EXAMPLE - To schedule a task or program to run:

1. At the command prompt type: "at 19:30 /interactive cmd.exe" [without quotes]

It should look like this:

C:\>at 19:30 /interactive cmd.exe

2. Press enter [and directly below this line you should receive]:
Added a new job ID = 1 (or 2 if there is another command pending)

It should look like this:

C:\>at 19:30 /interactive cmd.exe
Added a new job ID = 1 (or 2 if there is another command pending)

3. Close the command prompt and after a couple minutes if you are using Winpatrol, Scotty will alert you that a new task has been added. When opening Scheduled Tasks in Win Patrol there will be an At1 entry identifying the program and scheduled run time. The command can be removed from Scheduled Tasks by Win Patrol.

4. Wait until the new command window appears [starts] at the scheduled time and you will notice that it says C:\Windows\System32\scvhost.exe at the top and the command prompt says:

Microsoft Windows XP [Version 5.1.2600]
<C> Copyright 1985-2001 Microsoft Corp.

C:\Windows\system32>

[You are now logged onto the SYSTEM account.]

5. In the Start Menu or right-click on the icon for the program you want to run and left-click on properties.

6. Highlight the text within the Target box on the Shortcut tab and press ctrl-c to copy or right-click and select copy.

7. Go back to the svchost.exe window and right-click on the small prompt icon in the upper left hand corner to the left of C:\Windows\System32\scvhost.exe.

8. From the drop down box choose EDIT > PASTE [the full target path] or simply right-click and paste the path next to the command prompt line C:\Windows\system32>

It should look like this:

C:\Windows\system32>"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

C:\Windows\system32>

9. Press enter and Spybot [or any other selected program] will run; but, with the difference that you will be running it as SYSTEM function.

NOTE: Also Typing taskmgr<enter> will run the task manager; regedt32<enter> will run the registry editor; though for some reason explorer still runs as your user account.

If you know your commands, any of these will also work and, if you know the explicit entry to run for any of your programs, you don't have to use the copy and paste method.

How does this compare to running SPYBOT (or whatever) in safe mode?

Thanks for the info.

Actually, this method does not actually "log into" the system account. It only simulates an interactive windows of the system account with it's privilages. If you actually want to "log into" the system account, follow the steps above, except when the scvhost.exe window pops up at the time you command it to, kill explorer.exe process in the task manager while leaving the command prompt window open, then type explorer.exe in the command prompt window left open.

This will actually log into the system account and you can move about windows as a true system account privilaged user. You will find it much easier to run scans and manage things from this account instead of having to cut and past commands into the command prompt. To be sure you successfully logged into the account, click the start menu. If you have XP configured a certain way near default, it should say "system" at the top, indicating that your logged in as the system account user. I find this very useful in manually cleaning out files or removing certain registry keys that sometimes will not delete even under the administrator account. Enjoy.

Mike

Double posted accidentley, Deleted message.

That is very interesting, but is this procedure necessary for programs that are active in all accounts such as antivirus and antispyware programs?

It will vary depending on the application. Some recent releases of top tier applications already run under the system account so those would not require this procedure (Counterspy 2.1 is an example).

To determine whether your apps need it or not simply open Task Manager (while the app is running) and click on the Processes tab. If the application's process shows System under User Name then it is operating under the system account already. Note that SpywareBlaster and IESpyads do not actually run so you can forget about checking them.

_________________
MS MVP Security 2006-2008

I was curious about what might turn up using the system account so I ran a full scan with AdAware from my admin account and I found 15 innocuous files, which I left intact. Then I immediately ran it again using the system account and found 14 (one less) files.

Why would the number of hits be LESS using the system account?