Today, the Internet age, network security is an important issue, hackers more and more powerful, our security information is also more and more easy to be cracked and leaked, if you can create a simple hidden account, will give us more information to bring security, we will come together to learn how to create a hidden account.
1. Create a simple hidden account
When you create a user account, if you add the $ symbol after the user name, you can create a simple hidden account, such as "test$".
The net user command is not visible under the character interface, but is still visible in the local users and groups of the graphical interface.
Hackers in the invasion of a host, generally have to find ways to leave a back door to themselves, and to add an account of the Administrator group is a common technique. Because an account with "$" is easy to find, some people work on the display name of the account, creating a name that looks similar to the system account to confuse administrators, such as admin, sysadmin, gates, root, and so on. Another approach is to elevate the user accounts of the normal user group to the Administrators group, such as adding the Guest account to the Administrators group. So if we find that there is an extra account in the Admins group or an account with a regular user group and an account with $, then we should be aware that the computer may be compromised.
2. Security Identifier SID
In Windows systems, the system creates a unique security identifier,sid for each user account, at the core of the Windows system, using the SID instead of the user's account name to represent or identify each user.
The SID integrated user account creation time and user name information are created and are therefore unique and will not be reused. Even if you delete a user account and then add an account with the same name, the SID will not be the same, and the new account will not have the same permissions as the original account.
For example, a new user named Bob, with a password of 123, logged into the system as Bob, built a text file Test.txt and encrypted it using EFS. Switch the system user to the administrator, delete the Bob User, and then create a new Bob user with the password still 123. When you log on to the system with a new Bob user, you cannot open the encrypted file Test.txt because the user's SID has been transformed.
You can view the SID of the system's current user by executing the whoami/all command:
A complete SID consists of information from several different parts, the last part of which is called the relative identifier RID. The 500 SID is the system built-in Administrator account, and even if renamed, the RID remains unchanged at 500, and many hackers find the real system built-in Administrator account through the RID. The SID of the RID 501 is the guest account, and the rid of the newly created user account is starting at 1000, and the SID of the RID 1015 is the 15th user account that the system creates.
3. Create a fully hidden account
Below we create a completely hidden user account by falsifying the user SID, which needs to be implemented by modifying the registry.
Start by creating a simple hidden account "super$" and then expand the registry [Hkey_local_machine\sam\sam], which has nothing in it by default because the user does not have permissions on it. In the right-click menu of this item, give the administrator user Full Control.
Then press the F5 key to refresh and see that there are 2 more subkeys inside.
In the [Sam\domains\account\users\names] entry, all accounts currently in the system are displayed, and the super$ is selected with a key value named "Default", with Type "0x3eb" on the right. Where the "3eb" is the end of the super$ user SID, the RID (used in hexadecimal notation, converting 3eb to decimal is 1003).
In [Sam\domains\account\users] there is a subkey that ends with "3EB", which contains information about the user super$.
Right-click on these two items, and execute the Export command to export the values of these two items to the registry file with the extension. Reg, respectively.
The super$ user is then deleted and the registry is refreshed again, at which point the two items are gone.
The two registry files that you just exported are then imported again, and the super$ account information is available in the registry, but the account is completely hidden regardless of whether the account is not visible on the command line or in the graphical interface.
Use this hidden account to login to the system, but the disadvantage is that the user profile will still be generated, and then further processing of the account to make it completely hidden.
or expand to the registry key above, locate the RID value "1f4" of the administrator user, expand the corresponding "000001F4" item, and the right side has a key value named F, which holds the user's SID. The following copies all the data of this key value and pastes it into the F-key value of the "000003EB" item, which means that the SID of the user of the administrator is copied to super$ so that, within the operating system, the super$ is actually treated as an administrator, Super$ became the administrator's shadow account, and instead of using the same user profile, super$ was completely hidden.
The establishment of hidden accounts is a hacker prefers a left-back way, and very covert, like the above hidden accounts can only be found through the registry.