1、按 Shift+F10 打开 cmd执行这2句命令启用Administrator
net user Administrator /active:yes
net user Administrator ""
2、Win+R运行taskmgr.exe 打开任务管理器结束进程 msoobe
3、重启机器
大致原理类似这篇文档https://blog.csdn.net/qq_41086359/article/details/122516325
1、系统进入区域设置起,就可以按下Ctrl+Shift+F3进入审计模式。进入系统之后会弹出一个系统准备工具3.14弹窗,不要点击确定,直接×掉。
2、打开 cmd执行这2句命令启用Administrator
net user Administrator /active:yes
net user Administrator ""
3、参考这篇文档,利用advancedrun提权,在提权后的cmd下执行下面命令
利用advancedrun提权,我搞了powershell代码(安装advancedrun,并提权到powershell)
Set-executionpolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force;
wget http://www.nirsoft.net/utils/advancedrun-x64.zip -Outfile c:\Users\Administrator\Downloads\advancedrun-x64.zip
$7zPath = "$env:ProgramFiles\7-Zip\7z.exe"
if (-not (Test-Path -Path $7zPath)) {
$client7 = new-object System.Net.WebClient
#$client7.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myqcloud.com/7z2301-x64.msi','c:\7z2301-x64.msi')
$client7.DownloadFile('http://www.7-zip.org/a/7z2301-x64.msi','c:\7z2301-x64.msi')
msiexec.exe /i c:\7z2301-x64.msi /qn
Start-Sleep 30
del c:\7z2301-x64.msi 2>$null
}
& "C:\Program Files\7-Zip\7z.exe" x -aoa "c:\Users\Administrator\Downloads\advancedrun-x64.zip" -o"c:\Windows" "AdvancedRun.exe"
在提权后的窗口里执行下面命令
cmd
reg add "HKCU\Keyboard Layout\Preload" /v "1" /d 00000409 /t REG_SZ /f 2>nul 1>nul
reg add "HKCU\Keyboard Layout\Preload" /v "2" /d 00000804 /t REG_SZ /f 2>nul 1>nul
reg add "HKLM\SYSTEM\Keyboard Layout\Preload" /v "1" /d 00000409 /t REG_SZ /f 2>nul 1>nul
reg add "HKLM\SYSTEM\Keyboard Layout\Preload" /v "2" /d 00000804 /t REG_SZ /f 2>nul 1>nul
reg add "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "1" /d 00000409 /t REG_SZ /f 2>nul 1>nul
reg add "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "2" /d 00000804 /t REG_SZ /f 2>nul 1>nul
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>nul 1>nul
rem 以上主要是设置英文键盘为默认输入,这样粘贴代码会方便,其次是显示右下角秒数和去除下载锁定
ren %windir%\system32\oobe\audit.exe audit.exe.bak
xcopy %windir%\system32\svchost.exe %windir%\system32\oobe\audit.exe /X /f /i /y
echo A | xcopy %windir%\system32\svchost.exe %windir%\system32\oobe\audit.exe /X /f /i
shutdown -r -t 0
或者输入以下文本,另存为enableAdministrator.bat双击执行也能达到上述提权替换的目的
reg add "HKCU\Keyboard Layout\Preload" /v "1" /d 00000409 /t REG_SZ /f 2>nul 1>nul
reg add "HKCU\Keyboard Layout\Preload" /v "2" /d 00000804 /t REG_SZ /f 2>nul 1>nul
reg add "HKLM\SYSTEM\Keyboard Layout\Preload" /v "1" /d 00000409 /t REG_SZ /f 2>nul 1>nul
reg add "HKLM\SYSTEM\Keyboard Layout\Preload" /v "2" /d 00000804 /t REG_SZ /f 2>nul 1>nul
reg add "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "1" /d 00000409 /t REG_SZ /f 2>nul 1>nul
reg add "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "2" /d 00000804 /t REG_SZ /f 2>nul 1>nul
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>nul 1>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>nul 1>nul
rem 以上主要是设置英文键盘为默认输入,这样粘贴代码会方便,其次是显示右下角秒数和去除下载锁定
powershell -command "Set-ExecutionPolicy Unrestricted -force"
cmd.exe /c "start /w pkgmgr /iu:TelnetClient"
netsh advfirewall set allprofiles state off
powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
powercfg -x -monitor-timeout-dc 0
powercfg -x -monitor-timeout-ac 0
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreen" /d 1 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DisableLockWorkstation" /d 1 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Authentication\LogonUI\SessionData" /v "AllowLockScreen" /d 0 /t REG_DWORD /f
schtasks.exe /create /tn "Microsoft\Windows\nolockscreen" /ru SYSTEM /rl highest /sc ONSTART /tr "reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Authentication\LogonUI\SessionData' /v AllowLockScreen /d 0 /t REG_DWORD /f" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "AllowInsecureGuestAuth" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanworkstation\Parameters" /v "FileInfoCacheLifetime" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanworkstation\Parameters" /v "FileNotFoundCacheLifetime" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanworkstation\Parameters" /v "DirectoryCacheLifetime" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Client for NFS\CurrentVersion\Users\Default\Cache" /v "AttributeTimeDelta" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Client for NFS\CurrentVersion\Users\Default\Cache" /v "FileAttributeCache" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Client for NFS\CurrentVersion\Users\Default\Cache" /v "RemoteWriteCache" /d 0 /t REG_DWORD /f
cmd.exe /c "cscript /nologo %windir%/system32/slmgr.vbs -skms kms.03k.org:1688"
cmd.exe /c "cscript /nologo %windir%/system32/slmgr.vbs -ato"
net accounts /lockoutthreshold:0
rem 以上主要是设置powershell权限、安装telnet客户端命令、关闭防火墙、设置屏幕永不关闭、设置smb客户端和nfs客户端属性、激活、禁用帐户锁定
CD /D %windir%\System32\oobe
icacls audit.exe /save auditAcl
TAKEOWN /F audit.exe
icacls audit.exe /grant Administrators:F
ren %windir%\system32\oobe\audit.exe audit.exe.bak
DEL audit.exe
COPY ..\svchost.exe audit.exe
icacls .\ /restore auditAcl
DEL auditAcl
NET USER Administrator /active:yes
net user Administrator ""
REAGENTC.EXE /enable /auditmode
shutdown -r -t 0
rem 重启之后恢复 audit.exe 文件(可选):xcopy %windir%\system32\oobe\audit.exe.bak %windir%\system32\oobe\audit.exe /X /f /i /y
另存为.bat时,注意选ANSI编码,enableAdministrator.bat我已经包装为.iso文件了,如果你用iso在vmware里安装时要用.bat,直接挂上enableAdministrator.iso即可
http://windows-1251783334.cos.ap-shanghai.myqcloud.com/enableAdministrator.iso
4、重启之后恢复 audit.exe 文件(可选)
xcopy %windir%\system32\oobe\audit.exe.bak %windir%\system32\oobe\audit.exe /X /f /i /y
#echo A | xcopy %windir%\system32\oobe\audit.exe.bak %windir%\system32\oobe\audit.exe /X /f /i
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。