Incomplete parsing of WINDOWS User Accounts

Note! Operations on user entries in the registry may cause system permission disorder and pose various security risks. Therefore, we strongly recommend that you perform tests on virtual machines. Master, please ignore all the above content.
 
First, you must know that the user account information is stored in the HKLM \ SECURITY \ of the Registry \. HKLM \ SAM is the ing of HKLM \ SECURITY \ SAM, including permissions. Which of the following effects is the same. The corresponding file is a SAM file under % systemroot % \ system32 \ config \. You can use a tool such as ice blade to DUMP the file during local login, or copy it out in the DOS/PE system.
 
Except system, any user does not have any permissions for this registry key by default. Therefore, before performing this operation, right-click any of the preceding items and choose permission> Add, then, add your username to it and click OK. Check "full control", OK, F5 refresh, OK, now you have full control permissions, you can proceed to the next step.
 
There are two important items: HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Account \ Users \ Names and HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Account \ Users. Anyone with basic security knowledge knows that the Name of each subitem under the Name item corresponds to each account in the system, and the HEX Value of the default key value type under each subitem is the so-called Unique User Identifier, based on this identifier, find the corresponding item named after HEX under the Users item. There are two values under this item: F and V. All information about the account is recorded in these two values.
 
F value: records permissions, groups, and other content. This value is required for cloning account permissions and creating hidden accounts.
V value: this is a more important value. It records the account name and full name. The most important thing is to record the encrypted password value.
There is also an interesting value: UserTile, which was just discovered. in front of it, part of it is the hexadecimal code of a BMP image, the following is the path of the image stored in unicode encoding (since the hexadecimal code of the image has been saved and what file path is required, I really don't know what the designer thinks ......), In short, it is basically useless.
 
Speaking of this, a friend with a strong sense of smell will know the functions of these two values. Yes, the F value is used to raise the right, and the V value is used to crack the password. The specific method involves two words: overwrite.

For example, in the classic method of creating a hidden account: Execute net user hacker $123456/add to open the registry and find the corresponding identifier, for example, 0xef9. Export the hacker $ subitem under Name to hack. reg, export the Sub-item 00000ef9 under Users as hack2.reg, and export any enabled administrator item (if the default Administrator is not disabled, export the Sub-item 000001f4. For details, use "net user username" to view the account information.) set it to admin. reg and use NotePad to open hack2.reg and admin. reg. Copy the "F" = until "V" = "V" = "in admin. reg, and paste and replace the same part of hack2.reg. Run net user hacker $/del, double-click hack. reg, and double-click hack2.reg. The hacker $ account has been hidden. Using the net user command, management-> local users, groups, and user accounts cannot see the information of this account.
 
(The most important feature of overwriting the F value is that % userprofile % information such as the account desktop after the F value is synchronized with the account where the F value you imported is located, because it is not in the documents and settings (XP, 2003) or users (VISTA, WIN7, 2008). This is undoubtedly useful .)
 
For example, if you forget the login password (or because of a "special" need), use the PE disk to start the system and open the Registry to load the SAM file (see the preceding path, find % systemroot % of the local system), overwrite the V value of 000001f4 In the PE disk to the user who forgot the password, and restart, the password is reset to the administrator password of the PE disk (mostly empty ). If you have special requirements, you can back up the V value first.
After the user password is changed, it does not work before it is logged out. That is to say, as long as you log on to the system, the new password will take effect after it is logged out, regardless of whether you change the password by overwriting the V value or by using the net user method, this facilitates the use of PE disks to illegally obtain system permissions: Use the above method to access the system, copy important files (especially for EFS encryption), overwrite the V value, and shut down and leave, others know nothing about this.
 
The full name of the account: This is a very interesting thing. When you use net user to add an account, you can use the user account to change the account name, the name you changed in the user account will be the full name of the user. You can use the full name to log on to the system (and use the account before the change to log on to the system is a desktop, configuration ), you can also log on using the previous name, but the full name of the net user account cannot be found. You cannot enter the full name for various permission settings. You must enter the previous account name. The full name is of no use except to allow multiple external numbers in your account.
 
An alternative method of adding "Full name" is to export a subitem under Names, for example
[HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Account \ Users \ Names \ zcgonh_]
@ = Hex (3f9 ):
Change zcgonvl to the account name you want, for example, hacker $ (preferably with $, which can be hidden under the net user command)
Hex (3f9): the unique identifier of the account to add the full name, for example, 1f4
Save the file, double-click Import, and log out. log on to hacker $. Check the result!

(In this way, the cloned account is completely visible in Management> local users and groups, but it cannot be deleted if several special accounts such as 1f4 and 1f5 are copied)
Because this account is fully dependent on the account with the "full name", when the account with the "full name" changes its permissions, login method, or password, the clone account also changes, therefore, the actual utilization value is very low.
 
Remember two important Unique User identifiers: 0x1f4 and 0x1f5. The former is the administrator, and the latter is the guest account guest, copying the fvalue of 0x1f4 to overwrite 0x1f5 is a common backdoor method (although the method is very retarded ......).
 
There is another interesting thing about the full name: create an account zzz using the net user, change the password zzz to zxc in the user account. After that, I created a new account named zxc with the password zxc, and logged out. It was speechless:
1. Username zzz and password zzz. Log in successfully. Create a New zzz text file on the desktop to identify it.
2. the user name zxc and password zxc are successfully logged on. A new zxc text file is created on the desktop for identification.
3. the user name zxc and password zzz are successfully logged on. The zzz file is found on the desktop and the whoami is displayed as zzz.
 
In conclusion, the system performs account operations in the following order:
1. Compare the user name with all the user Names under Names and the full name in any V value. If no error is found, an error is returned.
2. the user name found in Names determines the permission based on the unique identifier of the user. The account found in the full name of V directly uses the corresponding F-value permission.
3. If the username conflicts with the full name, The Logon account is determined by the password.
Www.2cto.com
 
 
Next, there is little knowledge about user groups in the Registry on the Internet about user groups. The following content is completely self-developed, so errors are inevitable. If an error is found, please correct it in time.
 
HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Builtin \ Aliases \. All content about the user group is put here (isn't the internal alias of the Domain A group? It's named ......), In addition, you can create a group in HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Account \ Aliases. (If you have installed a VM, you can see a _ vmware _ group ).
The format of this group is similar to that of an account. The sub-item name under Names stores the group name. The HEX Value of the default type under the sub-item is the unique identifier of the group, the sub-item with the same name as the Names is found based on the unique identifier. The C value below records various permissions of the group. Because the permissions of the group are too vague, no further research is conducted. The only result is that the overwriting method is still useful. That is to say, the C value of the administrators group is used to overwrite the C value of Guest, all users in the guest group have the permissions of administrators. You can also change the type of the Guests item to 0x220, which has the same effect as overwriting the C value.

Key group unique identifiers: 0x222, 0 x, 0 x. Corresponding to administrators, users, and guests respectively.
 
Another interesting thing: even if the SYSTEM permissions of HKEY_LOCAL_MACHINE \ SECURITY and HKLM \ SAM are deleted, the account can be successfully added and the registry value is successfully written. Permission settings are confusing.
 
 
Two additional points:

1. Regarding password replacement, It is preliminarily confirmed that the WINDOWS password encryption function is similar to the hash (sid, pwd) format, where sid is the user's unique identifier, pwd is the password, and has nothing to do with the account name.

Therefore, make sure that the sid is the same when you replace the password. Otherwise, you cannot log on to the system even if you replace the V value.
2. The SID is allocated by the system, so you can perform the following operations (winXP SP3 test passed, because the WINDOWS registry from 2000 to WINDOWS Registry SAM is the same, it is basically determined that it can be used ).


Method: Create an empty password account and export the value of V. Export the F value of administrator (you need to confirm that the account is enabled and there are no logon restrictions, etc., to avoid trouble. If you are not sure, create an account and add it to the administrator group, but it is still not perfect because it does not share the desktop with the administrator ).
Create a new registry file with the following content:
Windows Registry Editor Version
5.00
[HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Account \ Users \ Names \ zcgonh_]
@ = Hex (FFF ):
[HKEY_LOCAL_MACHINE \ SECURITY \ SAM \ Domains \ Account \ Users \ 00000FFF]
"F" = hex:
"V" = hex:

Replace zcgonh_h with your desired username, FFF with the expected sid, V with the V value of the empty password account, and F with the F value of the administrator account. After completing all the above, double-click Import.
Finally, open cmd and enter the net user zcgonvl 123456 to complete the "activation" operation of the account. (This is a strange problem. If you do not perform this step, you cannot find the account, however, this step only changes the value of V, and there are no other changes. In addition, do not add/add .) Restart to verify whether you can log on. If you can log on, you can export the V value to overwrite other accounts.
 
The sid System allocation is indeed unique, but it can be done manually, including groups.
System allocation seems to be a successive addition of 1 (for example, the maximum sid is 3FF, even if you delete all accounts to only 1f4, 1f5. The next time you create an account, the sid must be 400. There should be a key value (or file ?) This number is not found. If found, there should be a possible breakthrough from the system (or for EFS, the EFS encryption parameter must have a sid, but it does not seem to have a password to be verified ).