Runas

Windows Credential Manager

Windows Credential Manager is a Windows built-in password manager that holds all the stored credentials. It can be access by visiting "Control Panel -> User Accounts -> Credential Manager". In command line, it can be accessed by the cmdkey command:

cmdkey /list

If Administrator's stored credential is found, we can call runas.exe to get a SYSTEM shell.

Runas

Call runas.exe to get a SYSTEM shell if Administrator's stored credential is found in Windows Credential Manager:

C:\Windows\System32\runas.exe /savecred  /user:<username> /profile "C:\Windows\System32\cmd.exe"