No, it is not a requirement that it be a SYSTEM account but, that is the ideal type of service to exploit because once you exploit the app your code will run under the same security context as the application you are exploiting. So, having SYSTEM access is as good/better than an Admin, where as if the app was running as a user you would be limted to operations that user has permissions for, which is not as cool as SYSTEM but can probably be leveraged for greater access later. I would suggest using srvany.exe to register your dummy program as a service. Once you register it as a service you can either run it as SYSTEM or any account you specify and play with it from there. Have fun.


-Maestr0