Questions about the Windows System shadow account

Before this, you need to know a few questions, one is SID, one is the F value of the account.

SID for Windows account

In a Windows system, a unique security identifier is established for each user account, and in the internal core of the Windows system, the IDENTIFIER,SID is used to represent or identify each user using the SID rather than the user's account name. SID Integrated user account creation time and user name and other information created, and thus is unique, and will not be reused, the common saying that Windows account SID equivalent to the identity card number, can uniquely identify a system user identity.

The F value of the user account in the registry is the SID number of the user above.

A "shadow account" is literally a user who is attached to a particular built-in user and cannot be viewed through User Manager and net user commands, an easy way to create an account created with net user Zhangsan $ so that the account created cannot use the net user command to view, but you can see the end-of-account in User Manager.

The other is a full shadow account that cannot be viewed either from Windows User Manager or by using net user, as follows:

1, use the Net user command to create a hidden account, here Zhangsan for example.

2. The F value of the Administrator account is overwritten with the F value of zhangsan$

3. Export zhangsan$ account information and SID information.

4. Delete the created account zhangsan$

5. Import the account information of the exported zhangsan$ to the registration form.

6, restart the computer, using zhangsan$ login system, view the current login account

7, shadow account scanning, as follows:

Questions about the Windows System shadow account