Function Run_Sys_Cmds(arrayCmds As Variant, visibility, wait_on_execute)
Set fso = CreateObject("Scripting.FileSystemObject")
Set systemCmd = fso.CreateTextFile(Environ("TEMP") & "\systemCmd.vbs")
Set batchRun = fso.CreateTextFile(Environ("TEMP") & "\systemBatch.bat")
systemCmd.WriteLine ("CreateObject(""Wscript.Shell"").Run """ & Environ("TEMP") & "\systemBatch.bat" & """, " & visibility & ", " & wait_on_execute)
For Each cmd In arrayCmds
Run_Cmd "sc create systemCmd binpath= ""%COMSPEC% /c wscript %TEMP%\systemCmd.vbs "" type= own type= interact", INVISIBLE, WAIT
Run_Cmd "sc start systemCmd", INVISIBLE, WAIT
Run_Cmd "sc delete systemCmd", INVISIBLE, WAIT
Kill Environ("TEMP") & "\systemCmd.vbs"
Kill Environ("TEMP") & "\systemBatch.bat"
This version only accepts an array of commands to be processed. I found that it was way too slow to process a large number of commands unless you did it this way. It would be simple to modify to accept a regular String instead, if you wish to change it to use it for one-off commands.
You'd call this with something like:
Dim syscmd(1) As String
syscmd(0) = "set && pause"
syscmd(1) = "ping 127.0.0.1"
Run_Sys_Cmds syscmd, VISIBLE, WAIT
It executes commands at the SYSTEM level by creating a service that will run your command for you. Unless you specify otherwise, services always run as the SYSTEM account. Creating services is only possible if you have Administrator-level privileges on the system, so I really only find this useful to get around locked files or antivirus.
It's on my TO DO list to play with the token-kidnapping exploit for Windows Server 2003/2008 (and supposedly XP2?) that allows any authenticated user to gain SYSTEM privileges. Unfortunately, I haven't had time to play with it yet.