Shulou(Shulou.com)06/02 Report--

I. conspiracy in the Command prompt

In fact, the production system to hide the account is not a very advanced technology, we often use the "command prompt" can make a simple hidden account.

Click "start" → "run", type "CMD" to run "Command prompt", enter "net user piao$ 123456 / add", enter enter, after success, "Command completed successfully" will be displayed. Then type "net localgroup administrators piao$ / add" enter, so we successfully use the "command prompt" to create a simple "hidden account" with the user name "piao$" and password "123456", and promote the hidden account to administrator privileges.

Figure 1. Set up a simple hidden account

Let's see if the establishment of the hidden account is successful. Enter the command "net user" to view the system account in the Command prompt, and enter will display the account that exists in the current system. From the returned results, we can see that the "piao$" account we just established does not exist. Then let's go to the "administrative tools" of the control panel, open the "computer" and view the "local users and groups". In the "users" item, the hidden account "piao$" we created is exposed.

It can be concluded that this method can only hide the account in the "command prompt", but there is nothing it can do for "computer management". Therefore, this method of hiding accounts is not very practical and is only effective for careless administrators. It is an entry-level system account hiding technology.

Second, play with account concealment in the registry

From the above, we can see that the method of hiding the account with the command prompt has obvious shortcomings and is easy to expose. So is there any technology that can hide accounts in both the Command prompt and computer Management? The answer is yes, and all this requires us to make a small setting in the registry to completely evaporate the system account in both.

1. Give the administrator permission to operate the registry when there are twists and turns.

To manipulate the key value of the system account in the registry, you need to modify it at "HKEY_LOCAL_MACHINE\ SAM\ SAM", but when we get there, we will find that there is no way to expand the key value where it is located. This is because the system default to the system administrator to "write D AC" and "read control" permissions, no permission to modify, so we have no way to view and modify the key value under "SAM". However, we can use another "registry editor" in the system to give the administrator permission to modify.

Click "start" → "run", enter "regedt32.exe" and enter, and then another "Registry Editor" will pop up, which is different from the "Registry Editor" we usually use in that it can modify the permissions of the system account when operating the registry (for ease of understanding, hereinafter referred to as regedt32.exe). In regedt32.exe, go to "HKEY_LOCAL_MACHINE\ SAM\ SAM", click "Security" menu → "permissions", select "administrators" account in the pop-up "SAM permissions" editing window, check "full Control" in the permission settings below, and click "OK" when you are finished. Then we switch back to the Registry Editor and find that the keys under "HKEY_LOCAL_MACHINE\ SAM\ SAM" can be expanded.

Figure 2. Give the administrator permission to operate

Tip: the method mentioned above applies only to Windows NT/2000 systems. In the Windows XP system, the operation of permissions can be carried out directly in the registry, the method is to select the items that need to be set permissions, right-click, and select "permissions".

2. Replace the hidden account with the administrator

After we have successfully obtained the permission to operate the registry, we can officially start the production of hidden accounts. Go to "HKEY_LOCAL_MACHINE\ SAM\ SAM\ Domains\ Account\ Users\ Names" in Registry Editor, and all existing accounts in the current system will be displayed here, including our hidden accounts, of course. Click on our hidden account "piao$", the "type" item in the key value shown on the right is displayed as 0x3e9, go up to "HKEY_LOCAL_MACHINE\ SAM\ SAM\ Domains\ Account\ Users\", you can find the item "000003E9". The two correspond to each other, and all the information of the hidden account "piao$" is in the "000003E9" item. Similarly, we can find that the entry for the "administrator" account is "000001F4".

Export the key value of "piao$" to piao$.reg, and export the F key value of "000003E9" and "000001F4" items to user.reg,admin.reg, respectively. Open admin.reg with notepad, copy the contents after the "F" value in it, replace the "F" value in user.reg, and save it when you are finished. Next, go to the Command prompt and type "net user piao$ / del" to delete the hidden account we set up. Finally, import piao$.reg and user.reg into the registry, and the hidden account is finished.

Figure 3. Copy F value content

3. Break down the bridge across the river and cut off the way to delete the hidden account

Although our hidden accounts have been hidden in the Command prompt and computer Management, experienced system administrators may still delete our hidden accounts through the Registry Editor. So how can we make our hidden accounts rock solid?

Open "regedt32.exe", go to "HKEY_LOCAL_MACHINE\ SAM\ SAM", set the permissions for "SAM", and cancel all the permissions owned by "administrators". An error occurs when the real administrator wants to operate on the items under "HKEY_LOCAL_MACHINE\ SAM\ SAM" and cannot be granted permissions again through "regedt32.exe". Such inexperienced administrators are helpless even if they find hidden accounts in the system.

three。 A special tool to hide the account in one step.

Although according to the above method can well hide the account, but the operation is more troublesome, not suitable for beginners, and the operation of the registry is too dangerous, it is easy to cause system crash. Therefore, we can use special account hiding tools to hide the work, so that hiding the account is no longer difficult, only a command can be done.

The tool we need to use is called HideAdmin, which is downloaded and unzipped to disk C. Then run the Command prompt and enter "HideAdmin piao$ 123456". If "Create a hiden Administrator piao$ Successed!" is displayed, we have successfully established a hidden account with a piao$, password of 123456. The account hiding effect created by this tool is the same as the effect of modifying the booklet table above.

Fourth, remove the "hidden account" from the system

The harm of hiding accounts is enormous. Therefore, it is necessary for us to understand the corresponding prevention technology after understanding the account hiding technology, so as to get the hidden account out of the system completely.

1. Add a "$" symbolic hidden account

The detection of this kind of hidden account is relatively simple. In general, after using this method to establish a hidden account, the hidden account will be promoted to administrator privileges. Then we just need to type "net localgroup administrators" in the "command prompt" to make all the hidden accounts appear. If you find it troublesome, you can directly open "computer Management" to view, add the "$" symbol of the account can not be hidden here.

2. Modify the registered phenotype hidden account

Because hidden accounts using this method are not seen in the Command prompt and computer Management, you can delete hidden accounts in the registry. Go to "HKEY_LOCAL_MACHINE\ SAM\ SAM\ Domains\ Account\ Users\ Names" and compare the accounts that exist here with those in "computer Management". The extra accounts are hidden accounts. It is also easy to delete it, simply delete the item named after the hidden account.

3. The hidden account whose name cannot be seen

If * creates a hidden account that modifies the registration phenotype, the administrator's permission to operate the registry is deleted on this basis. Then the administrator cannot delete the hidden account through the registry or even know the name of the hidden account established by *. However, there is no certainty, and we can use the help of Group Policy to make it impossible for us to log in through hidden accounts. Click "start" → "run", enter "gpedit.msc" to run "Group Policy", expand "computer configuration" → "Windows Settings" → "Security Settings" → "Local Policy" → "Audit Policy", double-click "Audit Policy changes" on the right, check "success" in the pop-up settings window, and then click "OK". Make the same settings for Audit logon events and Audit process tracking.

Figure 4. Enable the login event audit function

After the login audit, we can record the login of any account, including the hidden account, so that we can accurately know the name of the hidden account through the "event Viewer" in "computer Management". Even the time of login. Even if all login logs are deleted, the system will record which account deleted the system log, so that the hidden account of * * will be exposed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.