The principle is very simple Ah sam FV key value. focus on how to avoid detection Generally the detection of clone accounts is the detection of the sam inside there not the same FV. use this feature to bypass the detection. huh
1.net user allyesno freexploit /add&net localgroup administrators allyesno /add 2. clone allyesno->guest 3. delete allyesno sam FV （Oh, so you completed.）
So since conventional testing tools cannot detect the pull quack. in.
In addition kaka mentioned once login it will generate a file problem this can be in the inside the registry modify the user to generate the file path and added other tools to assist hide
The test environment was for xp sp2&2 0 0 3 sp1 know Microsoft now whether Supplement don't know Vista can use
Can add my QQ discuss 1 3 8 8 8 8 3 1 8 verification: very good, very harmonious
thx:at the time in 0x577 irc help test some of the people such as kaka luoluo, etc. for too long the other person can't remember.） ps:sigh, have been marginalized......
Delete the registry of the relevant information and use the net user xxx /delete such that Delete is different
I established a user allyesno then the guest cloned into allyesno allyesno and guest through the registry to point to the sam file inside the user information windows System to authenticate the user start-up mode is the first in the registry relevant to the query name of the user sam inside and then in the sam file which reads the corresponding information to start
If you use the net user allyesno /delete this command then the sam registry and sam files of the user information will be deleted And guest point to the sam file inside the allyesno user information is deleted guest naturally does not successfully log in.
On the contrary only the registry inside allyesno the user information delete all but the sam file inside still retains allyesno information so the guest can successfully logon