[新手上路]批处理新手入门导读[视频教程]批处理基础视频教程[视频教程]VBS基础视频教程[批处理精品]批处理版照片整理器
[批处理精品]纯批处理备份&还原驱动[批处理精品]CMD命令50条不能说的秘密[在线下载]第三方命令行工具[在线帮助]VBScript / JScript 在线参考
返回列表 发帖
NETSECURE

Rank: 2

帖子
积分
111 
技术
0  
捐助
0  
注册时间
2009-3-13 
1 跳转到 » 倒序看帖
打印
tT
发表于 2009-3-13 20:31 | 只看该作者

[系统相关] 【已解决】求助批处理隐藏克隆guest帐户问题与检测

大家好!发问一些问题..希望高手们多指导一下

相似帖详见:http://bbs.bathome.net/thread-3642-1-1.html 并求相关的检测代码

给定两SAM注册表文件

000001F4.REG
  1.  

  2. Windows Registry Editor Version 5.00

  3. 

  4. [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4]

  5. "F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\

  6.   00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\

  7.   f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\

  8.   00,00,00,00,00,00,00

  9. "V"=hex:00,00,00,00,bc,00,00,00,02,00,01,00,bc,00,00,00,1a,00,00,00,00,00,00,\

  10.   00,d8,00,00,00,00,00,00,00,00,00,00,00,d8,00,00,00,1a,00,00,00,00,00,00,00,\

  11.   f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,\

  12.   00,00,00,00,00,00,00,00,00,00,00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,\

  13.   00,00,00,00,00,00,00,00,00,00,f4,00,00,00,00,00,00,00,00,00,00,00,f4,00,00,\

  14.   00,00,00,00,00,00,00,00,00,f4,00,00,00,15,00,00,00,a8,00,00,00,0c,01,00,00,\

  15.   08,00,00,00,01,00,00,00,14,01,00,00,04,00,00,00,00,00,00,00,18,01,00,00,14,\

  16.   00,00,00,00,00,00,00,2c,01,00,00,04,00,00,00,00,00,00,00,30,01,00,00,04,00,\

  17.   00,00,00,00,00,00,01,00,14,80,9c,00,00,00,ac,00,00,00,14,00,00,00,44,00,00,\

  18.   00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\

  19.   00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\

  20.   00,58,00,03,00,00,00,00,00,14,00,5b,03,02,00,01,01,00,00,00,00,00,01,00,00,\

  21.   00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\

  22.   00,00,00,24,00,44,00,02,00,01,05,00,00,00,00,00,05,15,00,00,00,a1,f4,04,62,\

  23.   b4,7b,73,34,75,b9,75,54,f4,01,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\

  24.   02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,41,00,64,00,6d,00,\

  25.   69,00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,00,00,a1,7b,06,\

  26.   74,a1,8b,97,7b,3a,67,28,00,df,57,29,00,84,76,85,51,6e,7f,10,5e,37,62,00,00,\

  27.   ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ee,e3,41,01,\

  28.   02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,37,b1,53,a9,4e,aa,94,4b,b9,2b,\

  29.   ff,46,22,e8,47,73,01,00,01,00,01,00,01,00
复制代码
000001F5.REG
  1.  

  2. Windows Registry Editor Version 5.00

  3. 

  4. [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]

  5. "F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

  6.   00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,00,00,00,00,00,\

  7.   f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

  8.   00,00,00,00,00,00,00

  9. "V"=hex:00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,0a,00,00,00,00,00,00,\

  10.   00,bc,00,00,00,00,00,00,00,00,00,00,00,bc,00,00,00,22,00,00,00,00,00,00,00,\

  11.   e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,\

  12.   00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,\

  13.   00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,\

  14.   00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,\

  15.   08,00,00,00,01,00,00,00,e8,00,00,00,04,00,00,00,00,00,00,00,ec,00,00,00,04,\

  16.   00,00,00,00,00,00,00,f0,00,00,00,04,00,00,00,00,00,00,00,f4,00,00,00,04,00,\

  17.   00,00,00,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,\

  18.   00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\

  19.   00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\

  20.   00,4c,00,03,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\

  21.   00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\

  22.   00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\

  23.   01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,\

  24.   00,00,00,20,02,00,00,47,00,75,00,65,00,73,00,74,00,00,00,9b,4f,65,67,be,5b,\

  25.   bf,8b,ee,95,a1,8b,97,7b,3a,67,16,62,bf,8b,ee,95,df,57,84,76,85,51,6e,7f,10,\

  26.   5e,37,62,00,00,01,02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,01,00,01,00,\

  27.   01,00,01,00
复制代码
克隆方法:拷贝000001F4.REG的f键值区块

即为:
"F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
  00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\
  f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\
  00,00,00,00,00,00,00

取代000001F5.REG的F键值区块

即把:

"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,00,00,00,00,00,\
  f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00

替换为:

"F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
  00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\
  f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\
  00,00,00,00,00,00,00

而000001F5.REG的V值保持不变

最後处理完的000001F5.REG的信息如下:
  1. Windows Registry Editor Version 5.00

  2. [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]

  3. "F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\

  4. 00,7e,33,3e,dd,c6,4b,c9,01,00,00,00,00,00,00,00,00,f0,cf,00,df,c6,4b,c9,01,\

  5. f4,01,00,00,01,02,00,00,11,02,00,00,00,00,00,00,01,00,21,00,01,00,00,00,00,\

  6. 00,00,00,00,00,00,00

  7. "V"=hex:00,00,00,00,b0,00,00,00,02,00,01,00,b0,00,00,00,0a,00,00,00,00,00,00,\

  8. 00,bc,00,00,00,00,00,00,00,00,00,00,00,bc,00,00,00,22,00,00,00,00,00,00,00,\

  9. e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,\

  10. 00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,\

  11. 00,00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,\

  12. 00,00,00,00,00,00,00,00,00,e0,00,00,00,00,00,00,00,00,00,00,00,e0,00,00,00,\

  13. 08,00,00,00,01,00,00,00,e8,00,00,00,04,00,00,00,00,00,00,00,ec,00,00,00,04,\

  14. 00,00,00,00,00,00,00,f0,00,00,00,04,00,00,00,00,00,00,00,f4,00,00,00,04,00,\

  15. 00,00,00,00,00,00,01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,44,00,00,\

  16. 00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\

  17. 00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\

  18. 00,4c,00,03,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\

  19. 00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\

  20. 00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\

  21. 01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,\

  22. 00,00,00,20,02,00,00,47,00,75,00,65,00,73,00,74,00,00,00,9b,4f,65,67,be,5b,\

  23. bf,8b,ee,95,a1,8b,97,7b,3a,67,16,62,bf,8b,ee,95,df,57,84,76,85,51,6e,7f,10,\

  24. 5e,37,62,00,00,01,02,00,00,07,00,00,00,01,00,01,00,01,00,01,00,01,00,01,00,\

  25. 01,00,01,00
复制代码

[ 本帖最后由 NETSECURE 于 2009-3-13 22:55 编辑 ]
1

评分人数

    • Batcher: 感谢主动给标题标注[已解决]字样PB + 2
收藏 分享

Batcher

Rank: 12Rank: 12Rank: 12

帖子
14936 
积分
46143 
技术
857  
捐助
745  
注册时间
2008-6-9 
2
发表于 2009-3-13 20:37 | 只看该作者
http://bbs.bathome.net/thread-3642-1-1.html这个帖子里给的方法不行么?哪里不行?
我帮忙写的代码不需要付钱。如果一定要给,请在微信群或QQ群发给大家吧。
【微信公众号、微信群、QQ群】http://bbs.bathome.net/thread-3473-1-1.html
【支持批处理之家,加入VIP会员!】http://bbs.bathome.net/thread-67716-1-1.html

TOP

NETSECURE

Rank: 2

帖子
积分
111 
技术
0  
捐助
0  
注册时间
2009-3-13 
3
发表于 2009-3-13 20:54 | 只看该作者

回复 2楼 的帖子

无法输出000001F5.reg的F与V的键值..



  1. (echo Windows Registry Editor Version 5.00&echo.

  2. for /f "skip=2" %%a in (000001F5.REG) do (

  3. echo %%a

  4. for /f "skip=3 delims=" %%a in (000001F4.REG) do (

  5. if /i "%%a" lss ""V"" (echo %%a) else more +7 000001F5.REG & goto next

  6. )

  7. ))>000001F5_New.REG

  8. :next

  9. move 000001F5_New.REG 000001F5.REG
复制代码

[ 本帖最后由 NETSECURE 于 2009-3-13 21:10 编辑 ]

TOP

Batcher

Rank: 12Rank: 12Rank: 12

帖子
14936 
积分
46143 
技术
857  
捐助
745  
注册时间
2008-6-9 
4
发表于 2009-3-13 21:18 | 只看该作者

回复 3楼 的帖子

  1. @echo off

  2. (echo Windows Registry Editor Version 5.00

  3. echo.

  4. for /f "skip=2" %%a in ('type 000001F5.REG') do (

  5.   echo.%%a

  6.   for /f "skip=3 delims=" %%a in ('type 000001F4.REG') do (

  7.     if /i "%%a" lss ""V"" (

  8.       echo.%%a

  9.     ) else (

  10.       more +7 000001F5.REG

  11.     )

  12.     goto :next

  13.   )

  14. ))>000001F5_New.REG

  15. :next

  16. move 000001F5_New.REG 000001F5.REG
复制代码
1

评分人数

我帮忙写的代码不需要付钱。如果一定要给,请在微信群或QQ群发给大家吧。
【微信公众号、微信群、QQ群】http://bbs.bathome.net/thread-3473-1-1.html
【支持批处理之家,加入VIP会员!】http://bbs.bathome.net/thread-67716-1-1.html

TOP

NETSECURE

Rank: 2

帖子
积分
111 
技术
0  
捐助
0  
注册时间
2009-3-13 
5
发表于 2009-3-13 21:36 | 只看该作者

回复 4楼 的帖子

代码有点小缺陷..键值不全

  1. Windows Registry Editor Version 5.00

  2. 

  3. [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]

  4. "F"=hex:02,00,01,00,00,00,00,00,40,03,fc,ce,c6,4b,c9,01,00,00,00,00,00,00,00,\
复制代码

TOP

Batcher

Rank: 12Rank: 12Rank: 12

帖子
14936 
积分
46143 
技术
857  
捐助
745  
注册时间
2008-6-9 
6
发表于 2009-3-13 22:23 | 只看该作者

回复 5楼 的帖子

  1. @echo off

  2. (echo Windows Registry Editor Version 5.00

  3. echo.

  4. for /f "skip=2" %%a in ('type 000001F5.REG') do (

  5.   echo.%%a

  6.   for /f "skip=3 delims=" %%a in ('type 000001F4.REG') do (

  7.     if /i "%%a" lss ""V"" (

  8.       echo.%%a

  9.     ) else (

  10.       more +7 000001F5.REG

  11.       goto :next

  12.     )

  13.   )

  14. ))>000001F5_New.REG

  15. :next

  16. move 000001F5_New.REG 000001F5.REG
复制代码
我帮忙写的代码不需要付钱。如果一定要给,请在微信群或QQ群发给大家吧。
【微信公众号、微信群、QQ群】http://bbs.bathome.net/thread-3473-1-1.html
【支持批处理之家,加入VIP会员!】http://bbs.bathome.net/thread-67716-1-1.html

TOP

返回列表