Scheduled tasks and services are often run as accounts with excessive privileges (HP Insight, backups etc) instead of limited service accounts. By exploring the tasks under c:\windows\tasks or the services by managing the computer, you can quickly see possible options to escalate your rights. By replacing at the actual exe that the service or task runs with a exe of your own, you can spawn a netcat shell. I use a batch file to exe converter and use the batchfile to call nc.exe with the correct parameters. *You can not alter the service or task itself in anyway else you loose the stored credentials. Attached are some screenshots that should illustrate this.

One small issue is the Windows Protection Service which will not allow you to replace Windows files. See the below link on bypassing this feature. The article mentions that Microsoft claim its not a security feature, its a stability feature so it can be bypassed without too much drama. (Still need to test this on Windows 2003 SP2 but they tested it on XP SP2)

http://seclists.org/fulldisclosure/2004/Nov/0290.html

[
mh: screenshots redacted + comment:

We recently bumped into this opportunity on another of craigs assessments, and instead toyed with a 3rd alternative.. ie.. simply injecting the code you need in the scheduled tasks memory space, effectively getting your code to run with the scheduled tasks privs – Check out the video in the video section
]