Run a PowerShell command as NT AUTHORITY\SYSTEM

Is there a way to run a PowerShell command as NT AUTHORITY\SYSTEM from a script?
I know I can use psexec and get a PowerShell prompt running as NT AUTHORITY\SYSTEM, but I was wondering if there's a way to do it from a "normal" script.

Solution 1:

You can use Invoke-TokenManipulation.ps1 script:

This script requires Administrator privileges. It can enumerate the Logon Tokens available and use them to create new processes. This allows you to use anothers users credentials over the network by creating a process with their logon token. This will work even with Windows 8.1 LSASS protections.

Copy-paste it or save alongside with your script as Invoke-TokenManipulation.ps1 and use dot-sourcing to load:

$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
. (Join-Path -Path $ScriptDir -ChildPath 'Invoke-TokenManipulation.ps1')

And then you can use Invoke-TokenManipulation function.

Example:

# This command fails on my machine, even with admin rights
Get-ChildItem C:\Windows\CSC

# Makes the current PowerShell thread impersonate SYSTEM.
Invoke-TokenManipulation -ImpersonateUser -Username "nt authority\system"

# Now we can get contents of this folder
Get-ChildItem C:\Windows\CSC

# Stop impersonating an alternate users Token
Invoke-TokenManipulation -RevToSelf

# Check again
Get-ChildItem C:\Windows\CSC

Solution 2:

https://github.com/mkellerman/Invoke-CommandAs

Made a function to Invoke-Command as SYSTEM, or provided credential, against local/remote computer. Returns PSObjects, handles network interruptions and resolves any Double-Hop issues.

Try it out let me know if this resolves your issues.