ALL,
仔细研究了下洛洛的那个"关于重置被遗忘的域控制器(DC)管理员密码工具"的帖子.发现其实现原理如下:
a> Login Restore mode, because it can access system resouces against DC such as edit register and install start-up service
b> Install a startup service to "recover" the domain admin pwd via a install service script "setup.exe/bat", it does following:
1>copy all needed files to c:\
2>cmd "instsrv.exe" to install service
3>cmd "reg add" to add Parameter entry and add application to point to passrecovery.exe /cmd "reg import"
4>cmd "reg add" to add a backout script to run at startup after pwd recovery at HKLM\SW\WINDOWS\CurrentVersion\Run
5>cmd "shutdown -r -f"
d> PassRecovery.exe/bat do the following two things:
1>"net user /add mcse
P@ssw0rd" ---add a new Domain User
2>"net localgroup administrators /add mcse" --- join this user to the local admin group(The previous machine local group "administrators" becomes Built-in Domain Local group "administrators" after Server becomes a DC)
3>create a backout script named as temp.bat put in c:\ corresponding to Run Entry in register
e> Reboot the DC and modify the forgotten domain admin account.
f> backout script "temp.bat" it does the following things:
net stop PassRecovery
sc delete PassRecovery
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PassRecovery /f
:deldir
rd /s /q c:\mcse_temp
if exist c:\mcse_temp\. goto deldir
if not exist c:\mcse_temp\. del %0
Conclusion:
a>In Restore mode, we can acess system resources against DC such as edit register and install start-up service.
b>Default services run under "system" credential which has admin priviliage.
b>The previous machine local group becomes Built-in Domain Local group after Server becomes a DC.
另虽然洛洛已经把两个关键的程序setup.exe 和passrecovery.exe封装成了2进制的.exe文件,但是经过我的研究,基本得出是用以下两个批处理实现的.
setup.bat:
================================
instsrv PassRecovery C:\DomainPwdRecovery\srvany.exe
reg add HKLM\SYSTEM\CurrentControlSet\Services\PassRecovery\Parameters
reg add HKLM\SYSTEM\CurrentControlSet\Services\PassRecovery\Parameters /v Application /t REG_SZ /d "C:\DomainPwdRecovery\PassRecovery.bat"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PassRecovery /t REG_SZ /d "c:\temp.bat"
shutdown -r -f
======================================
PassRecovery.bat:
net user /add mcse
P@ssw0rdrem net localgroup administrators /add mcse
net group "Domain Admins" /add mcse
echo net stop PassRecovery >>c:\temp.bat
echo sc delete PassRecovery >>c:\temp.bat
echo reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v PassRecovery /f >>c:\temp.bat
=======================================================================================================