How to manually clone Windows operating system hidden account

Adding Accounts in Command Line Mode

Click “Start”→“Run”, enter “cmd"Run“Command Prompt”, enter The following command: net user test$ /add and enter, so that you can create an account named test$ in the system. Continue typing: net localgroup administrators test$ /add and press Enter, which will raise the test$ account to administrator privileges.

●Add a hidden account

Step 01 Click “Start”→“Run”, enter “regedt32.exe”, press Enter, pop-up; Registry Edit & rdquo;. In regedt32.exe, go to “HKEY_LOCAL_MACHINESAMSAM”, click “Edit"Menu →“Permissions", in the pop-up "SAM Permissions" edit window, select "administrators" account, below Go to the full control of the permission settings, and click “OK<;

●Set Registry Operation Permissions

Step 02 Enter “regedit.exe"Run“Registry Editor" in the "Run", navigate to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames” At the point where you click on the hidden account “test$”, the "type" in the key value displayed on the right is displayed as 0x404, go up to “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers”, you can find “00000404” The two correspond to each other, and all information about the hidden account “test$” is in the item "00000404". Similarly, we can find the item corresponding to the “administrator” account as “000001F4”.

Step 03 exports the key value of “test$” to test$.reg, and exports the F key values ​​of the “00000404” and “000001F4” items to user.reg, admin. Reg. Open the admin.reg with “Notepad>, copy the content after the value of "F”", replace the "F” value content in user.reg, save it after completion

Clone account is The most hidden back door

In Windows, each account has a corresponding key value in the registry, this key value affects the permissions of the account. When the hacker copies the key value in the registry, he can clone the account with one user right into an account with administrator rights and hide the account. Hidden accounts are invisible both in “user management" or "command prompt". Therefore, general computer administrators rarely find hidden accounts, and the harm is enormous.

●Find the hidden key value of the hidden account

Step 04 Enter the "net user test$ /del” command in the "command prompt>; delete the hidden account we created. Don't worry, this step just deletes the hidden account's "empty shell", just like the cleanup trace after the invasion, the hidden account is not changed. Finally, we double-click the two registry files test$.reg and user.reg and import them into the registry and you're done.

After hacking a target, a hacker usually leaves a back door on the target computer to control the computer for a long time. However, the back door is finally a hacking tool, which is one of the targets of anti-virus software. After the anti-virus software is upgraded, the back door is deleted. But there is a backdoor that will never be killed by anti-virus software, is a hidden system clone account.