The final part of the clone account

Preface: I believe everyone has used clone accounts. Whether using tools or manually, cloning an account is undoubtedly the best option to hide an account. However, reading articles on the internet is especially troublesome. In this way. Actually, it is very easy to clone an account. Is to copy the administrator's registry key. This article is intended for users who have already used a clone account. I will only describe the cloning principles and methods. I hope to inspire you.
Principle: our accounts have their corresponding key values in the registry, for details, see "[HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers". The administrator entry is "000001F4". There are two binary values: "F" and "V ". Generally, I cloned all the Guest users, so I will use this clone user as an example. The methods for cloning other users are the same. The Guest item is "000001F4 ". The items corresponding to other users can be viewed under "[HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames. All we need to do is copy the "F" and "V" values under "1F4" to the corresponding values under "1F5. This is what we call the clone account.
1 simple clone:
A. Principle: only copy the "F" value. In this way, the cloned account is less concealed than the fully cloned account (which will be mentioned later), but it is more convenient for you. If the zombie administrator is not too powerful, we recommend that you use this method. In this way, if the cloned user logs on to the system, all the desktops used are administrator files. That is to say, the files "C: Documents and SettingsAdministrator" in the system are the same as those in admin. Instead of the previous "C: Documents and SettingsGuest ". However, in the "query user" and "Terminal Service Manager", the user you log on to is still "Guest", and the command "net localgroup administrators" still shows that Guest is the administrator, this is what I call concealment lower than full cloning. However, in net and user management, there is no problem with Guest users.
B. Specific Method: No matter what method you use, depending on your personal habits, use the "system" permission to open the "Registry ", I like to use the psu Command Format psu-p regedit-PID. here we will explain that the PID is the value of winlogon IN THE SYSTEM process. then open [HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4] to open his "F" value and copy it to the "F" value of "1F5. Then, change the password (net user Guest password) to guest under CMD. END
2. Full clone
A. Principle: Copy "F" and "V" values. In this way, the cloned two accounts are actually one account in the system, which is the most concealed. Unless viewed with professional tools, they are in the net and user management, "net localgroup administrators" does not show any problems. The most important thing is that after you log on to the console, "administrator" is displayed on the "query user" and "Terminal Service Manager", which is not fun. :) So that we can achieve the goal of super concealment. Here, I want to explain that if you use this clone method to log on to the account, you actually log on to the administrator interface. That is to say, if the administrator is using 3389 to log on, and you are also using the clone account to log on, you will log on to a session !! In theory, you can also see what you do, because the two of you are in the same session! (The operator can see this. In theory, I am not sure because I have no conditional experiment. I hope that qualified friends can experiment and tell me the result, thank you ). What I mean is inconvenient. You want to log on to 3389, and the Administrator is logging on to 3389. Then you will see each other. However, if 3389 is enabled by you, and the Administrator does not remotely log on to the server, it will be nice. Your session is not one. In addition, if you use the clone method to log on to the cloned account, you can log on to two different accounts instead of a session.
B. Specific Method: The method is the same as that of simple clone. The difference is to copy all "F" and "V" values. You can also export the items of [HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4] directly. Edit the exported registry file, change "000001F4" to "000001F5", and import it to him. Then, in CMD, it is easy to change the password for Guest (net user guest password!
3. I want to help you. Speaking of this, I would like to say a few more words. I often see users who create an Administrator group after they intrude into a server. It seems that when the Administrator does not exist, alternatively, you can get an account that spoofs your Admin $ account. What I want to say is that the Administrator is not a fool. Although the account with "$" cannot be seen in "net user", it can be clearly put in the user management in Computer Management. If you want your zombie to stay for a long time, you will be smart. I also want to say a few words to the administrators. Now everyone's security awareness has been improved. They all know what to patch in time and what special changes to password settings. However, you have neglected the security of third-party software. For example, the SQL IIS Server-u is very harmful. I think that computer security can be divided into three aspects. The first is system security, which can be solved through a few patches. The second is security settings. You have a solid system, but you have got an empty password and won't laugh at the hackers. In this regard, you just need to change the abnormal password, but I want to remind you that you can set the abnormal password, but do not write a text to prevent you from remembering it, put all the passwords in it. I learned that a machine was built through a third-party software vulnerability. After entering the machine, I looked at the east and west of another disk and looked at a pass.txt file. I naturally opened it and saw the master server and route password of their entire network !! I am also dizzy with abnormal passwords. Later, I learned which machine is a network management machine. In fact, his protection is still very strict, and there are no system vulnerabilities. Later I learned that all his passwords are extremely abnormal, it seems impossible for me to destroy the Earth. :) If there is no third-party software vulnerability, I cannot get in. So I want to talk about the security of third-party software. In fact, I think security settings can be integrated with third-party software. Many third-party software vulnerabilities are discovered through insecure settings. For example, if the SQL SA has a blank password and the SA has a high permission, the SYSTEM permission is directly used for connection. In addition, it is best to use the latest version of the software. For example, server-u. This is also my habit. Everything is the latest version.
4. It may be annoying to everyone. Someone should have throttled the eggs at Roman. Come to me if you have any questions.