What is NT AUTHORITY\SYSTEM
by tomron - 5/16/06 6:50 PM
It is listed in system properties>under user profiles.
For some reason,why i don't know it appeared there.
OS 2K pro
Attention forum users: We want you to try out the new CNET forums platform! Click here to read the details. Thanks!
by: tomron May 16, 2006 6:50 PM PDT
0 people like this thread
Total posts: 22 (Showing page 1 of 1)
This is typically a security access settings for shared folders on a network. Usually set up using the Everyone account, if I stated this all correctly. There are many issues though with this so if you are experiencing any strange behavior (with your PC, not you) let me know.
with FF timeing out more then before.
I don't have any shared folders on a network.
It's The 'Local System' Account...
It runs as an administrator type account with high-level rights. Not really designed as a typical "user" account as many of the underlying services such as .NET Framework run in this account..
It's best left alone.
Hope this helps.
The reasons I stated about unusual behavior is this, Nt Authority has many exploit problems and many people end up with viruses or whatever. How did you notice this folder? Actually let me ask you a simple question, do you have anti-virus? All your updates? Firewall? """I am not saying it's infected,""" but browser time-outs, windows shut downs among other problems can be signs of this being a virus. Not to worry , just making sure and as stated by Grif, simply leave it alone. It won't bother you otherwise.
I have many programs (check my profile) and everything is updated.
I noticed it when i right clicked on my computer>properties>user profile tab.
What i don't understand is it was never there before,why is it there all of o sudden?
I can't be absolutely sure why it suddenly appeared there, there could have been a thousand things you may have done or not. I would really like to know if you have anti-virus installed or firewall. If you do, just do a virus scan first. The reason I say this is because this folder has many security issues, fixes, patches , what have you. If it is being attacked, it may have caused the folder to appear there, or not. I would simply like to make sure.
I have AV and firewall installed,thats why i said check my profile.The profile tells all the applicable info.
I have no viruses,spyware,and so on
It's best left alone..
The NT Authority/System profile is visible on many Windows 2000 machines. It's not a problem and can normally be ignored. It may have been there and you didn't notice it or it may have appeared after you updated your computer with a .NET Framework program or a service that uses that particular profile.
Hope this helps.
Thanx Grif and Paul
I know,I was just responding to paul,mainly regarding his questions about my antivirus programs an such.
I just wanted to explain that I wasn't stepping on your toes here, and completely agree with your info. I did state that I agree with you and it should be left alone.
I simply wanted him to do a virus check because this folder is a prime target many times. With his browser acting up with time outs(which time outs can be caused by a virus) a folder appearing, etc...although if they had the NT Authority shut down constantly, I would have definately suspected the msblast.exe. I just thought a check may be in order for the sake of safety. If no virus found, then no harm done, no folder touched.
Take care, Paul
I have been working with this for 25 days now. This seems to me to be very serious. Not quiet sure exactly how you get this. But from the files i have decrypted so far. Looks like it came from a quiz on face book "IQTest" it installs the Trojan arcbomb.ZIQ on your computer. It also is being spread by way of an email you receive from a friend telling you about a new dangerous virus.
any way i have the whole UN-encrypted script of the virus. it is set to disable your alerter service first. then it creates a new user. then petitions for user priveleges to be granted these authenticated user,.Power user..back-up operator and restricted user. then it creates new work groups then 7 new users like this S-1-5-34-"random big number" it then sets u up as a limited user with read only rights. disables the av engine, disables windows updates and it takes you to a new page stored in the systewm32 files that it created for you that it does updates for itself installed from a nt\authority remote desktop user. it enables the remote registry. and from there it has complete control. Now where the crazy part comes in. It installs a wrapper program that allows it to run multiple OS. I think this is done at 3am by remote desktop. it also installs acronis disk editor hidden and partitions your HD it creates an extended virtual part and installs Windows nt 5.1 server and Linux solaris. it also creates a 7.8 MB partition on your hd B: drive RAM-DISK and stores an encrypted hidden compressed file that has a clone and backup files to fix any problem you may cause. If you use the D.O.D 36 pass wipe it still there. You can watch the logs when you install new OS it puts files in where it needs them. when you start your new install up it will have full control again within 15 minutes. I have found different ways it stores this hidden file 1. it uses Bitlocker 2. it uses the EISA partition. This remote desktop i have traced to Madrid & Bombay and Germany. I can email a copy of the exe. notepad that has the exact setup of this what starts as a virus situation. It erases all tracks of the virus and all the installs so you wont know its there. Look at the Monkey virus & the Terror virus i think this is the same guy. you can scan ans scan but you wont find a virus it has them in encrypted zips. one is called Mirror. it releases it if you find start looking to hard for what is going on. you can use a Linux boot cd and run klamAv it will remove about 90-150 encrypted zips and the arcbomb.zIq...worm.Kido-182...adware.comet...exploit.js-7...Trojan.spy and so on it has all sorts that you download during your so called visit to m updates. the file it has for that is call microsoft updates\Hell in the windows system system32 folder. you can tell if you have it if you explore the c drive and find these new folders called "recycler" system volume that is access denied and look in you user files you have several hidden folder with all sorts of new users. If anybody know how to get ride of this hidden partition please let me know. I have 26 computer waiting to be repaired. each one of the computer owners say they have all sorts of fraud activity on there credit cards for world of war craft and small stuff like that online purchases. email me at email@example.com for more info
You've Responded To A 4 Year Old Post
The person you've responded to hasn't visited here in quite a long time and I doubt they will respond.... Besides, the issue discussed in this thread was NOT about virus or malware.. It's a common user profile listed on Windows 2000 machines when certain programs are installed. (On the other hand, if there is an error message about "NT AUTHORITY\SYSTEM" popping up frequently, then malware is certainly a good possibility.)
Just a note: It's not wise to place your email address on a public forum as this.. You're just asking for SPAM.
Hope this helps.
Hi. I've been dealing with this for years, off and on. Nothing I've done has worked. I'm self taught as far as using a computer. Unfortunately, I'm not a very good teacher. The message from the guy before me cracks me up. Maybe he doesn't see the irony of his post.
NT manges to evade or actually control certain aspects of every anti-virus or malmare program I throw at it. I use Revo as an uninstaller. It's good. Programs that i tought were gone will sometimes show up in Ccleaners uninstall list or Spybots'. IObit 360s' (which first alerted me to the fact that Gateway was preloading trojan downloaders as junkware , tapping my computer through Word) Passive security is constantly being manipulated, dropping certain blocks or whole catagories. Now it's set up to appear that its doing the job it used to do. Spybots installs get quirky, like they're being blocked. Once you get them installed, their block lists are almost reversed, inviting those sites in. Aviras' safeguard against USB auto downloads gets turned off. The same is true as far as Aviras' warning about going on line as an administrater. Windows updates for XP3 are unnecessary for security according to Secunias CSI scan (I think Microsofts' been leaving their back doors open and switching when they see the wrong traffic coming through). Funny that you can download Microsofts' Security program online for free, yet it doesn't come prepacked in the initial system. The list goes on and on with endless permutations depending on what combination of software is involved. Mwanwhile, there's always some kind hearted guru telling the sheep the old "move along, move along. There's nothing to see..." routine.
Anyway, i alraedy had problems with my Chinese frieinds. Were you able to resolve your issues?
i remember that test. Mbe thats' how they target, like the germanz tilting picture frames.
Iv' been through this same, nightmarish ordeal and am self taught at computer troubleshooting. I think being a natural troubleshooter helped me recognize all the red flags instead of writing off things that looked legit but clearly were not as they seemed. One thing you did not mention, as everything else was right on point, is removing the mb battery as I beleived the kb was compromised and this kept this disease storedhidden in bios. Removing battery and booting into linix or virtual xp off a boot cd and reformatting all drives with secure wipes before ever booting back into windows seemed to do the trick. Key was definately removin battery
I don't know how, maybe malwere bytes, but this got installed. Now, it takes 5 hours to start up my other computer, and if I start it up regularly, It will take me 5 hours, then say NT AUTHORITY\SYSTEM has initiated a shutdown. Then a 1 minute timer starts. Please help me!
I can't do everything I need in Safe Mode With Networking!
I've seen this old worm come back to folk that reinstall the OS.
Since there are many SOLVED discussions at http://duckduckgo.com/?q=NT+AUTHORITY\SYSTEM+has+initiated+a+shutdown
My question is why didn't you use those or start a new and complete new post with all the details?
Also, I can understand if you never encountered this old worm before but it's still out there.
it's the computer itself
NT AUTHORITY\SYSTEM is the computer itself, and it has 100% access to the computer, even more than an administrator does, and also, i know a hack to become SYSTEM:
1. Start command line
2. Enter: AT (TIME) /INTERACTIVE cmd.exe
Note: Replace (TIME) with the current time plus one minute in format HH:MM
3. Wait one minute
4. If done correctly, a second command line should appear
5. On the second command line, enter:
6. TASKKILL /F /IM Explorer.exe
7. START Explorer.exe
You are now SYSTEM! for proof, click start and look at your user name.
To return to your user, repeat steps 6-7 on the first command line.
If you closed the first command line, you can also switch back by logging off, (not switching user, actually logging off)
then log back into your account.
Oh, and in case you are wondering, i am in the SYSTEM user right now!
Total posts: 22 (Showing page 1 of 1)