Local System Account and Null Sessions in Windows NT

 Last reviewed: March 9, 1998
Article ID: Q132679

The information in this article applies to:
  • Microsoft Windows NT operating system version 3.1
  • Microsoft Windows NT Advanced Server version 3.1
  • Microsoft Windows NT Workstation versions 3.5 and 3.51
  • Microsoft Windows NT Server versions 3.5 and 3.51
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0

SUMMARY

This article discusses the Local System account and its security implications, as well as a useful way to run applications in Local System security context.

MORE INFORMATION

Background

The shell application (typically PROGMAN.EXE) runs under the DOMAIN\USER security context. Most processes started from the shell process inherit the same security context.

When setting up Windows NT services, you choose a security context for the service to be started under (because these services are typically not started by a user). To check the security being used by a service:

  1. Run Control Panel and choose Services.

  2. Select a service and choose Startup.

The security context of the service is set in the Log On As window pane.

Services Using The System Account

Services using the system account start in the system context (without credentials). In Windows NT 3.5 and later, Windows NT services with no credentials (no domain name, user name, or password) that attempt to connect to network resources are denied access (because they have no credentials and are using a null session). For additional information, please see the following article in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q122702
   TITLE     : Using the System Account as a Service in Windows NT 3.5
NOTE: System Account and This Account: Local System use the same account.

A null session is only established when there are no credentials for a process to start under (no user name or password). Typically, the only operating system itself runs as system.

On the local machine, the operating system is known as: 

   Default Owner:   Administrators    local group
   User:            System            pseudo group - local group scope
   Groups:          Administrators    local group
                    Everyone          pseudo group - local group scope
When this context is used to access the network, a null session is used. This produces the following context on remote machines: 

   Default Owner:   Everyone
   User:            Everyone
   Groups:          AnonymousLogon    pseudo group - local group scope
                    Network           pseudo group - local group scope
Only three identifiers can provide the null session access (Everyone, AnonymousLogon, and Network). The local system context and null session context have only the identifier Everyone in common. To configure Windows NT so that a service can access objects on its own machine directly, as well as over the network, use the Everyone identifier.

The default owners of these two contexts (as well as their default DACLs) are different. Any files you created in these contexts will be owned by Administrators. Any files you create through a null session will be owned by Everyone.

Additional query words: prodnt localsystem username
Keywords : nthowto ntnetserv ntregistry ntsecurity NTSrvWkst ntutil kbusage
Version : 3.1 3.5 3.51 4.0
Platform : winnt

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 9, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.