Where can I find data stored by a Windows Service running as "Local System Account"?

Solution 1:

The data you are looking should not, by default, be located in "C:\Documents and Settings\Default User". That is the location of the default user profile, which is the template for new user profiles. Its only function is to be copied to a new folder for use as a user profile when a user logs onto the computer for the first time.

If the service is following Microsoft's guidelines, it will be storing data in the application data folder (%APPDATA%) or the local application data folder (%LOCALAPPDATA% on Windows Vista and later). It should not use the My Documents or Documents folders, but you might want to check there as well.

On a typical installation of Windows XP or Windows Server 2003, check the following locations for application data for programs running as Local System (NT AUTHORITY\SYSTEM):

  • C:\Windows\system32\config\systemprofile\Application Data\Vendor\Program
  • C:\Windows\system32\config\systemprofile\Local Settings\Application Data\Vendor\Program
  • C:\Windows\system32\config\systemprofile\My Documents

On a typical installation of Windows Vista and later versions, check the following locations for application data for programs running as Local System (NT AUTHORITY\SYSTEM):

  • C:\Windows\system32\config\systemprofile\AppData\Roaming\Vendor\Program
  • C:\Windows\system32\config\systemprofile\AppData\Local\Vendor\Program
  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Vendor\Program
  • C:\Windows\system32\config\systemprofile\Documents

Of course, substitute the appropriate vendor name and program name for Vendor and Program.

[Edit - for bricelam] For 32 bit processes running on 64 bit windows, it would be in SysWOW64.

  • C:\Windows\SysWOW64\config\systemprofile\AppData

Solution 2:

The destination is changing in time. On Windows 10:

  • %systemroot%\ServiceProfiles

E.g.:

  • %systemroot%\ServiceProfiles\LocalService
  • %systemroot%\ServiceProfiles\NetworkService

Solution 3:

Go to Sysinternals and download procmon. You will need to know the name of the exe that the service runs as. Then you can use the filter in procmon to only list those activities generated by that application.

You should now be able to run through the list and determine which file this application is using (NOTE: After several minutes of logging, you can use the file menu to stop monitoring)

The entire Sysinternal suite can be downloaded as a single zip file and you may find other utils in the kit that can be helpfull.

Solution 4:

From a real process running as SYSTEM (S-1-5-18).

  • GetUserName: SYSTEM
  • User Sid: S-1-5-18
  • GetUserNameEx(NameFullyQualifiedDN): CN=HYDROGEN,CN=Computers,DC=stackoverflow,DC=com
  • GetUserNameEx(NameSamCompatible): STACKOVERFLOW\HYDROGEN$
  • GetUserNameEx(NameDisplay): HYDROGEN$
  • GetUserNameEx(NameUniqueId): {b413b030-8e9a-49d2-9157-20afd58792dd}
  • GetUserNameEx(NameCanonical): stackoverflow.com/Computers/HYDROGEN
  • GetUserNameEx(NameUserPrincipal): [email protected]
  • GetUserNameEx(NameCanonicalEx): stackoverflow.com/ComputersHYDROGEN
  • GetUserNameEx(NameServicePrincipal): n/a
  • GetTempPath: C:\WINDOWS\TEMP\
  • CSIDL_APPDATA: C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
  • CSIDL_LOCAL_APPDATA: C:\WINDOWS\system32\config\systemprofile\AppData\Local
  • CSIDL_COMMON_APPDATA: C:\ProgramData
  • CSIDL_PROFILE: C:\WINDOWS\system32\config\systemprofile
  • CSIDL_PERSONAL: n/a

Local Service

  • GetUserName: LOCAL SERVICE
  • User Sid: S-1-5-1
  • GetUserNameEx(NameFullyQualifiedDN): n/a
  • GetUserNameEx(NameSamCompatible): NT AUTHORITY\LOCAL SERVICE
  • GetUserNameEx(NameDisplay): n/a
  • GetUserNameEx(NameUniqueId): n/a
  • GetUserNameEx(NameCanonical): n/a
  • GetUserNameEx(NameUserPrincipal): n/a
  • GetUserNameEx(NameCanonicalEx): n/a
  • GetUserNameEx(NameServicePrincipal): n/a
  • GetTempPath: C:\WINDOWS\SERVIC~3\LOCALS~1\AppData\Local\Temp\
  • CSIDL_APPDATA: C:\WINDOWS\ServiceProfiles\LocalService\AppData\Roaming
  • CSIDL_LOCAL_APPDATA: C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local
  • CSIDL_COMMON_APPDATA: C:\ProgramData
  • CSIDL_PROFILE: C:\WINDOWS\ServiceProfiles\LocalService
  • CSIDL_PERSONAL: C:\WINDOWS\ServiceProfiles\LocalService\Documents

Network Service

  • GetUserName: "HYDROGEN$`
  • User Sid: S-1-5-2`
  • GetUserNameEx(NameFullyQualifiedDN): CN=HYDROGEN,CN=Computers,DC=avatopia,DC=com
  • GetUserNameEx(NameSamCompatible): AVATOPIA\HYDROGEN$
  • GetUserNameEx(NameDisplay): HYDROGEN$
  • GetUserNameEx(NameUniqueId): {b413b030-8e9a-49d2-9157-20afd58792dd}
  • GetUserNameEx(NameCanonical): stackoverflow.com/Computers/HYDROGEN
  • GetUserNameEx(NameUserPrincipal): [email protected]
  • GetUserNameEx(NameCanonicalEx): stackoverflow.com/ComputersHYDROGEN
  • GetUserNameEx(NameServicePrincipal): n/a
  • GetTempPath: C:\WINDOWS\SERVIC~3\NETWOR~1\AppData\Local\Temp\
  • CSIDL_APPDATA: C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Roaming
  • CSIDL_LOCAL_APPDATA: C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local
  • CSIDL_COMMON_APPDATA: C:\ProgramData
  • CSIDL_PROFILE: C:\WINDOWS\ServiceProfiles\NetworkService
  • CSIDL_PERSONAL: C:\WINDOWS\ServiceProfiles\NetworkService\Documents

Solution 5:

I have used a service running as the 'Local System' account and user data is stored in:

c:\Documents and Settings\LocalService

This is a hidden folder and took me a while to find it. Hope this helps.

Tags:

Windows

Service

Users

Recent Posts