When deleting a user, the system prompts that the user cannot run this operation on the built-in account.

When deleting a user, the system prompts that the user cannot run this operation on the built-in account.

Generally, after hackers intrude into the server, they add new users or set Backdoor programs.

If you find that the account cannot be deleted while using the server, and the account cannot be deleted normally, the system prompts that you cannot perform this operation on the built-in account.

If the Administrator encounters such a situation, you must note that your server may be intruded.

 

Generally, hackers call this method of adding accounts as "zombie accounts"

First, let's learn how to create an undead account,
1. the hacker puts the guest user in the administratorss group. After the administrator logs on, the hacker deletes the guest account in the administratorss group and prompts "the user cannot run this operation on the built-in account" when saving the account"

(The account that comes with the system cannot be deleted. Only hackers can be disabled. That is, the principle that guest cannot be deleted is used)

Solution: remove the attributes that belong to the Administrator group and disable the account.

2. find HKEY_LOCAL_MACHINE \ SAM on the computer where the other server is also the 2003 system, right-click and select permissions in the pop-up sub-menu (WIN 2000's operating system runs regedt32, find HKEY_LOCAL_MACHINE \ SAM and select Security> permission)

Then, add the user you are using and select full control. Refresh the page to view the items under SAM. Go to the 000001F5 item corresponding to the guest account, right-click to export and save the file, and the name is random.
Copy the maintained file to the hacked machine and double-click it to import it to the Registry.
(You can copy and save the following values)

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Windows Registry Editor Version5.00 [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5] "F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\   00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,00,00,00,00,00,\   f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\   00,00,00,b1,d4,61,f5 "V"=hex:00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,0a,00,00,00,00,00,00,\   00,bc,00,00,00,00,00,00,00,00,00,00,00,bc,00,00,00,22,00,00,00,00,00,00,00,\   e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,\   00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,\   00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,\   00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,\   08,00,00,00,01,00,00,00,e8,00,00,00,04,00,00,00,00,00,00,00,ec,00,00,00,04,\   00,00,00,00,00,00,00,f0,00,00,00,04,00,00,00,00,00,00,00,f4,00,00,00,04,00,\   00,00,00,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,\   00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\   00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\   00,4c,00,03,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\   00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\   00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\   01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,\   00,00,00,20,02,00,00,47,00,75,00,65,00,73,00,74,00,00,00,9b,4f,65,67,be,5b,\   bf,8b,ee,95,a1,8b,97,7b,3a,67,16,62,bf,8b,ee,95,df,57,84,76,85,51,6e,7f,10,\   5e,37,62,97,7b,01,02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,01,00,01,00,\   01,00,01,00

 

Now you can open account management and delete it from the administrators group.
 
The above solution is feasible. For the first method, disabling guest may also be re-enabled by hackers. In addition, the guest account is too blind in the administrators group.

 

Another method is to delete the guest account from the Registry. However, the guest account is useful when it is special. We do not recommend that you delete it. If you delete a trojan directly from the Registry, you can re-open the account management in my computer management, and an error such as security ing will pop up each time.

Therefore, you must back up the corresponding items before performing operations on the registry, in case the registry is restored.
 
Security measures:
1. Disable the guest account.
2. Rename the guest account and administrator account to a custom name.
3. Reset a complex password for the administrator account
4. Check System Vulnerabilities and update patches.