Article ID: 132679
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows NT Advanced Server 3.1
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Workstation 3.1
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Advanced Server 3.1
This article was previously published under Q132679
SUMMARY
This article discusses the Local System account and its security
implications, as well as a useful way to run applications in Local System
security context.
MORE INFORMATION
Background
The shell application, which is typically Progman.exe, runs under the Domain\User
security context. Most processes that start from the shell process inherit the same security context.
When you set up Windows NT services, you choose a security context
for the service to be started under (because these services are typically
not started by a user). To check the security being used by a service:
- Click Start, click Run, type control panel, and then double click Services.
- Select a service, and then click Startup.
The security context of the service is set in the Log On As window pane.
Services Using The System Account
Services that use the system account start in the system context (without
credentials). In Windows NT 3.5 and later, Windows NT services with no
credentials (no domain name, user name, or password) that attempt to
connect to network resources are denied access because they have no
credentials and they are using a null session.
For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
122702 Using the System Account as a Service in Windows NT 3.5
: System Account and This Account: Local System use the same account.
A null session is only established when there are no credentials for a
process to start under (no user name or password). Typically, only the
operating system itself runs as system.
On the local computer, the operating system is known as:
Default Owner: Administrators local group
User: System pseudo group - local group scope
Groups: Administrators local group
Everyone pseudo group - local group scope
When this context is used to access the network, a null session is used.
This produces the following context on remote computers:
Default Owner: Everyone
User: Everyone
Groups: AnonymousLogon pseudo group - local group scope
Network pseudo group - local group scope
Only three identifiers can provide the null session access (Everyone,
AnonymousLogon, and Network). The local system context and null session
context have only the identifier Everyone in common. To configure Windows
NT so that a service can access objects on its own computer directly, as
well as over the network, use the Everyone identifier.
The default owners of these two contexts (as well as their default DACLs)
are different. Any files you created in these contexts will be owned by
Administrators. Any files you create through a null session will be owned
by Everyone.
Additional query words: prodnt localsystem username
Keywords: kbusage KB132679