NTop icon indicating copy to clipboard operation
NTop copied to clipboard

Published 20 hours ago • verified publisher icon gsass1

the most important to me -- will it possible to kill a process that owned by system user

Open tlsalex opened this issue 6 years ago • 6 comments

As we know , the system account in windows is like the root account in Linux -- the most power user.

There are many process or services run as system user, include windows itself service and 3rd software like antivirus software - more detail ,let's say it's symantec endpoint protection

Sometimes antivirus software just do some shitty things , I just want to kill it to continue my job.

Let's say we have bellow scenario: ntop is running under my account: xxx.xx , and my account is in the local administrators group, will it possible to elevate current account to system account by ntop itself, in order to kill the process run as system account.

tlsalex avatar Jul 22 '19 14:07 tlsalex

You can run NTop "as Administrator" and it should work. Do you mean that NTop should call the UAC prompt to gain admin rights?

gsass1 avatar Jul 22 '19 14:07 gsass1

Sorry , maybe it's a little complicate thing about this system account. To my knowledge , that is system account can refer to "NT Authority\System" or "LocalSystem".

it's the most power user ,and the administrator is the second one.

in short. NT Authority\System = Local System = SYSTEM = S-1-5-18

Some examples: some

tlsalex avatar Jul 22 '19 15:07 tlsalex

also

whoami

tlsalex avatar Jul 22 '19 15:07 tlsalex

At least on my machine it's possible to end SYSTEM processes when running as administrator with the exception of some service processes which apparently just can't be shut down.

gsass1 avatar Jul 22 '19 15:07 gsass1

2536 SYSTEM 8 00.0% 39.1 MB 120 0.0 MB/s 11:19:03:38 | - ccSvcHst.exe 11280 xxxx.xx 8 00.0% 6.6 MB 21 0.0 MB/s 08:01:46:02 | | - ccSvcHst.exe

Above is the symantec endpoint protection process runs on my laptop. I tried to kill them ,but seems no way to do that , as my account is not a system account , I think if ntop run under system account , then ntop can kill it without problem. so I hope ntop have the ability to elevate the current account to system account (or we can say switch to the most power user account)

tlsalex avatar Jul 23 '19 04:07 tlsalex

Did you try running psexec with the -u switch? Or do you have an example program that provides this functionality?

The "Run As..." dialog exists for about the same reason for "sudo" or "doas" existing -- running a process as another user is the OS' job, not the program themself. I don't recall functions permitting that, because once you're in the CLI, you're already within the program, unless a new process is spawned to spawn another instance of ntop.

dd86k avatar Jan 29 '20 16:01 dd86k