{"id":21076487,"url":"https://github.com/phrozenio/powerrunassystem","last_synced_at":"2025-08-29T17:18:53.860Z","repository":{"id":41420925,"uuid":"460940382","full_name":"PhrozenIO/PowerRunAsSystem","owner":"PhrozenIO","description":"PowerRunAsSystem is a PowerShell script, also available as an installable module through the PowerShell Gallery, designed to impersonate the NT AUTHORITY/SYSTEM user and execute commands or launch interactive processes without relying on third-party tools. It achieves this using only native Windows build-in features.","archived":false,"fork":false,"pushed_at":"2024-10-15T09:18:08.000Z","size":3815,"stargazers_count":260,"open_issues_count":0,"forks_count":31,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-13T00:47:05.235Z","etag":null,"topics":["interactive","nt","powershell","process","system","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PhrozenIO.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-18T17:13:09.000Z","updated_at":"2025-04-11T11:00:47.000Z","dependencies_parsed_at":"2025-01-15T13:09:39.786Z","dependency_job_id":"63e08e64-238b-4aca-a328-d0b661d9e171","html_url":"https://github.com/PhrozenIO/PowerRunAsSystem","commit_stats":null,"previous_names":["phrozenio/powerrunassystem"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PhrozenIO%2FPowerRunAsSystem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PhrozenIO%2FPowerRunAsSystem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PhrozenIO%2FPowerRunAsSystem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PhrozenIO%2FPowerRunAsSystem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PhrozenIO","download_url":"https://codeload.github.com/PhrozenIO/PowerRunAsSystem/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248650433,"owners_count":21139672,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["interactive","nt","powershell","process","system","windows"],"created_at":"2024-11-19T19:28:37.424Z","updated_at":"2025-04-13T00:47:10.919Z","avatar_url":"https://github.com/PhrozenIO.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"**PowerRunAsSystem** is a PowerShell script, also available as an installable module through the PowerShell Gallery, designed to impersonate the **NT AUTHORITY/SYSTEM** user and execute commands or launch interactive processes without relying on third-party tools. It achieves this using only native Windows build-in features.\n\nTraditionally, elevating privileges to the SYSTEM user from an administrator account requires using tools like [PsExec from Sysinternals](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) or creating a custom service. With PowerRunAsSystem, you can accomplish the same goal using the built-in Windows Task Scheduler, eliminating the need for external utilities.\n\nThis tool allows you to:\n\n* Impersonate the SYSTEM user in the current terminal session\n* Run non-interactive commands as SYSTEM\n* Launch a new interactive process as SYSTEM (tied to the active terminal session)\n\nIn cases where graphical access to the machine is unavailable, you can redirect the input/output of the spawned SYSTEM process to a listener (e.g., a Netcat listener) for interaction.\n\n\u003e It’s important to note that administrative privileges are required to spawn a SYSTEM process in a standard configuration. Ensure that you either access a remote terminal (e.g., SSH or WinRM) with administrative rights or open a new terminal with elevated privileges (Run as Administrator).\n\n## Exported Functions\n\n* `Invoke-SystemCommand`\n* `Invoke-InteractiveSystemProcess`\n* `Invoke-ImpersonateSystem`\n* `Invoke-RevertToSelf`\n\n## Installation\n\n### PowerShell Gallery (Recommended)\n\nThe following commands for the installation process may require privileges (e.g., Administrative rights, appropriate Execution Policy settings). Ensure that you understand and meet these requirements before proceeding.\n\n```powershell\nInstall-Module -Name PowerRunAsSystem\nImport-Module -Name PowerRunAsSystem\n```\n\n### Importing as a Script\n\n```powershell\nIEX(Get-Content .\\PowerRunAsSystem.ps1 -Raw -Encoding UTF8)\n```\n\n## Usage\n\n### `Invoke-SystemCommand`\n\nSpawn a new process as the SYSTEM user via Task Scheduler. Note that the SYSTEM process will not be tied to the active terminal session, meaning it won’t be interactive. This is useful for quickly running commands as SYSTEM without needing direct interaction with the process.\n\n#### ⚙️ Available Arguments\n\n| Parameter | Type | Default | Description |\n|-------------------------|------------------|------------------------------------------------|----------------------------|\n| Application | String | powershell.exe | Program to execute |\n| Argument | String | -Command \"whoami \\| Out-File C:\\result.txt\" | Optional program arguments |\n\n### `Invoke-InteractiveSystemProcess`\n\nSpawn a new interactive process as the SYSTEM user, which will be tied to the active terminal session and, if selected, visible on the current desktop.\n\nThis can be particularly useful in scenarios where an interactive SYSTEM process is needed. For instance, when using [Arcane Server](https://github.com/PhrozenIO/ArcaneServer), running it as an interactive SYSTEM process allows you to capture both the desktop and LogonUI/UAC prompts.\n\n![Interactive System Process](images/InteractiveSystem.png)\n\n#### ⚙️ Available Arguments\n\n| Parameter | Type | Default | Description |\n|-------------------------|------------------|------------------------------------------------|------------------------------------------------------------------------------------------------|\n| CommandLine | String | powershell.exe | The complete command line to execute. |\n| Hide | Switch | None | If present, the process is not visible. |\n| RedirectKind | Choice | None | If the process input/output needs to be redirected to an external source (as discussed below)… |\n| Address | String | None | Used if the **RedirectKind** is set (as described below). |\n| Port | Int (R: 0-65535) | None | Used if the **RedirectKind** is set (as described below). |\n\n#### Advanced Usage : RedirectKind Flag\n\n##### `None` (Default)\n\nNo specific redirection is used; the process is spawned normally. To interact with the process, you must do so through the desktop.\n\nIf RedirectKind Flag is specified, the `stdout`, `stderr`, and `stdin` of the process are redirected to a network socket. This setup enables interaction with the spawned process without requiring access to the desktop, which is particularly useful when the process is initiated from an SSH or WinRM session.\n\n#### `Bind`\n\nSpawn your interactive SYSTEM process:\n\n````powershell\nInvoke-InteractiveSystemProcess -RedirectKind \"Bind\" -Address \"0.0.0.0\" -Port 4444\n````\n\nIn the context of a bind shell, the address specifies the network interface to bind to. Using `0.0.0.0` means the shell will listen on all available network interfaces, while `127.0.0.1` restricts it to the loopback interface, making it accessible only from the local machine.\n\nThen, with netcat, connect to listener:\n\n`````bash\nnc 127.0.0.1 4444\n`````\n\nIn the context of a bind shell, it is important to note that the temporary SYSTEM process acting as the **launcher** will remain in a hanging state until a client connects to the listener. Only one client can connect to the listener, only once. Once connected, an interactive SYSTEM process will be established. When the session/process, both the client and listener will be released, marking the termination of the **launcher**.\n\n##### `Reverse`\n\nCreate a new Netcat listener (adapt the command according to your operating system and version of Netcat):\n````bash\nnc -l 4444\n````\n\nThen, spawn your interactive SYSTEM process:\n\n````powershell\nInvoke-InteractiveSystemProcess -RedirectKind \"Reverse\" -Address \"127.0.0.1\" -Port 4444\n````\n\nIn the context of a reverse shell, it is important to note that a listener must be started before executing the reverse shell command. If the listener is not active, the attempt to spawn an interactive SYSTEM process will fail.\n\nEnjoy your SYSTEM shell 🐚\n\n![Reverse Interactive SYSTEM Shell](images/ReverseInteractive.png)\n\n### `Invoke-ImpersonateSystem`\n\nImpersonate the SYSTEM user within the current terminal session.\n\n![RevertToSelf](images/ImpersonateSystem.png)\n\n### `Invoke-RevertToSelf`\n\nStop user impersonation\n\n![RevertToSelf](images/RevertToSelf.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphrozenio%2Fpowerrunassystem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphrozenio%2Fpowerrunassystem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphrozenio%2Fpowerrunassystem/lists"}