On 09.05.2019 17:44, Bill Stewart wrote:
> On Thu, May 9, 2019 at 6:20 AM Andrey Repin wrote:
> 
>> Again, there's simply no equivalent of "god user" from *NIX in Windows
>> permissions system.
> 
> That's not really correct. An account that is a member of the
> Administrators local group (localized name can be different, SID is
> S-1-5-32-544) is a root/superuser equivalent.
> 
> It is true that some objects have permissions that prevent Administrators
> from accessing them, but any member of Administrators can take
> ownership/change permissions/run as SYSTEM and access those objects.

IIRC, even Administrators can't run as SYSTEM. To run as SYSTEM, you need to
somehow coerce a process that runs as SYSTEM to do something for you. Usually
achieved by running a [temporary] service and having it do what you want to be
done.

Notably, SYSTEM (but not Administrator) can impersonate any other user without
needing a password (other users can only impersonate with a password - i.e.
they need to authenticate themselves). In that sense SYSTEM is the true root
(though there are other high-privilege accounts, such as Trusted Installer and
Local Service that might be able to do the same things).