SAM注冊表結(jié)構(gòu)分析《Security Accounts Manager 》.doc

Title: Security Accounts Manager | Author: | Last updated: 3rd April 2005This article is based primarily on a local default setup of NT5.0 Professional or 2K (Windows 2000), however there maybe additional verified references to XP Professional and Server Editions. Much will apply across the NT range, but not all has been verified. Note that this is a partial update from the orginal version, there will be more additions, I just thought it was time to consolidate some stuff. This article has been written concisely and progressively, it is advisable not to skim read. Some stuff is advanced, use a test machine where possible.Special thanks to: (alphabetically ordered)esrever_otua: For pointing out something which I had missed about group memberships.fishy5: For coding XORCheck.exe which calculates the registry hive checksum.mirrorshades: For inspiring a hash database space optimzation techniquerattle: For coding ntdate.exe which calculates the NT time format and the LastPolicyTime; a couple of programs for the #DAD8636F687BF15Bsection and for working on the LM Hash Decoder V1/V2 projects.Serg Wasilenkow: For working on the LM Hash Decoder V1/V2 projects.Vladimir Katalov: For the PWSEx product key and working on the LM Hash Decoder V1/V2 projects.xavic: For inspiring a hash database space optimzation techniqueDue to length and my decision not to divide this article into separate pages I have split the article into 4 main chapters.01. Users and Groups02. (some) Security Settings03. Registry Structure04. PasswordsWithin these chapters are sections divided by a dotted horizontal line. To the left of this line is an image like so: These are anchors.If you right-click on them you can copy the shortcut/link address or left-click (IE only) and add it directly to your bookmarks.These bookmarks may change so I have used random hex as the link - make sure you name the link appropriatley.USERS AND GROUPSUsers can be added via a MMC with the Local Users and Groups Snap-in being present (Windows includes two such MMCs; compmgmt.msc and lusrmgr.msc) or via the Add. button in Users and Passwords - found in Control Panel. (Active Directory is configured via the Active Directory Users and Computers Snap-in or dsa.msc) Also via CMD: C:net user %username% /addAnother way that is usually forgotten is the Network Identification Wizard that shows up once when installing the 2K operating system. On running it checks the current users, normally just Guest and Administrator and it also checks the RegisteredOwner value located here: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion that was just entered earlier in the setup. If an account has not been created for the user listed, an administrative level one can be created here. Note you cannot overwrite passwords of existing accounts. To re-trigger this dialog, boot from Petter Nordahl-Hagens boot disk:Load the SOFTWARE hiveCd to MicrosoftWindows NTCurrentVersionEd RegisteredOwner value; if an account is already created by that name or if a different one is required. Cd to WinlogonNv 4 RunNetAccessWizardEd RunNetAccessWizard = 0x1On reboot keep the selection on Windows always assumes the following user has logged onto this computer: user name from dropdown list should be the RegisteredOwner, enter a password, next, finish. The user will be automatically logged on. Remember to uncheck: Users must enter a user name and password to use this computer. In the Users and Password in Control Panel. Also remember that since this method uses the secure autologon feature any existing autologon credentials will be overwritten, this will probably not be a problem however.This method also works in XP, however the process is alittle more complex. If there are three or more Administrator/(power)users accounts collectivily present, users cannot be added via the re-triggered dialog, this is likely to be the case, hence you have to make it believe otherwise. If there are two or less, skip the SAM editing sections. Boot from Petter Nordahl-Hagens boot disk:Load the SAM and SYSTEM hivesCd to SYSTEMSetupEd SetupType = 0x2Ed CmdLine = c:windowssystem32oobemsoobe.exe /f /retail (FYI: Just /f = full setup; license, key, activation & users)Nv 4 OobeInProgressEd OobeInProgress = 0x1Switch to the SAM hive.Cd to SAMSAMDomainsBuiltinAliases00000220C (Administrators)Cd to SAMSAMDomainsBuiltinAliases00000221C (Users)Cd to SAMSAMDomainsBuiltinAliases00000223C (Power Users)Make a note of the 4 bytes at offset 2C and 30, check the first user number in 00000220 after the description is F4,01,00,00 (most likely)Edit the C values at both offsets for 00000220 & 00000221 with 00,00,00,00 - for 00000223: :2c 18 00 00 00 & :30 02 00 00 00Save and reboot. Add a user (upto five can be added here, all at administratove level) and logon with that user name using a blank password. Run regedit.exe and write back the 00000221 and 00000223 C values. Amend the 00000220 C key, make a note of the new user number that has overwritten the orginal (F4,01,00,00) one, restore to orginal and add a similar 28 byte entry at the end in the nulls provided with the current user number after the machine SID. Reboot to complete.Another unorthodox method is to run the net command as a service. Boot from Petter Nordahl-Hagens boot disk and load the SYSTEM hive. cd to CurrentControlSet001Services create a two keys for the two commands. The editor seems to have a slight bug in that keys cannot be created that are prefixed with an existing service name, eg: error on creating a key named foobar if a key named foo exists. Remember that the services will be processed in alphabetical order.Cd in the first alpha newly created key.Nv 4 ErrorControlEd ErrorControl = 0x1Nv 2 ImagePathEd ImagePath = %systemroot%system32net.exe user foo /addNv 1 ObjectNameEd ObjectName = LocalSystemNv 4 StartEd Start = 0x2Nv 4 TypeEd Type = 0x20Cd in the second alpha newly created key.Repeat the steps above, but with:Ed ImagePath = %systemroot%system32net.exe localgroup administrators foo /addReboot and login, remove the keys. 2K creates a couple of system error event log so this may need removing.One method that is often mentioned, that does not seem to work (anymore(?) is changing the default screensaver to a program that allows usermanagement like cmd.exe or mmc.exe The settings are located here:regedit.exe - HKEY_USERS.DEFAULTControl PanelDesktopexplorer.exe - %windir%system32configDEFAULTSCRNSAVE.EXE=logon.scr - This is the screensave that will be used if nobody logs on locally for awhile.ScreenSaveActive=1 - Active=1 Inactive=0ScreenSaveTimeOut=600 - Number of idle seconds before screensaver activation (5mins)ScreenSaverIsSecure=0 - This is the On resume, password protect option. Curious this option though, some kind of memory limit if set to 0. Important to note if more memory is used.However even if you update logon.scr the SYSTEM user, which is who you will be while the Winlogon generic control dialog lurks in the background, does not have permission to add or modify any users - System error 5 has occured Access is denied. If a user logs on, SYSTEM does have access, so some kind of security assumed before logon. It maybe possible using a custom program, certainly with access to regedit.exe a user could be added manually.The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexidecimal form from here:regedit.exe - HKEY_LOCAL_MACHINESAMSAMDomainsAccountV (last 12 bytes)explorer.exe - %windir%system32configSAMIf the SAM file is missing at startup, a backup is retrieved in hexidecimal form here:regedit.exe - HKEY_LOCAL_MACHINESECURITYPolicyPolAcDmS (last 12 bytes)explorer.exe - %windir%system32configSECURITYSometimes the SID number is referenced in decimal form:Example:2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B1) Divide the bytes into 3 sections:2E,43,AC,40 , C0,85,38,5D , 07,E5,3B,2B2) Reverse the bytes of each section:40,AC,43,2E , 5D,38,85,C0 , 2B,3B,E5,073) Convert each section into decimal:1085031214 , 1563985344 , 7253455434) Add the machine SID prefix:S-1-5-21-1085031214-1563985344-725345543S-1-5-21-1085031214-1563985344-725345543 - This is the machine SID number in decimal format.NT stored time format is referenced in user keys, registry hives etc. The precision is to a very small fraction of a second from 1601.100,000 = one millisecond10,000,000 = one second600,000,000 = one minute36,000,000,000 = one hour864,000,000,000 = one daydatetimedebug viewreversed viewdecimal01/01/1601 - 12:00 AM = 00,00,00,00,00,00,00,00 - 00,00,00,00,00,00,00,00 - 001/01/2000 - 12:00 AM = 00,40,6D,25,EB,53,BF,01 - 01,BF,53,EB,25,6D,40,00 - 125,911,584,000,000,00001/01/2001 - 12:00 AM = 00,C0,9D,C8,85,73,C0,01 - 01,C0,73,85,C8,9D,C0,00 - 126,227,808,000,000,00001/01/2002 - 12:00 AM = 00,80,64,41,57,92,C1,01 - 01,C1,92,57,41,64,80,00 - 126,543,168,000,000,00001/01/2003 - 12:00 AM = 00,40,2B,BA,28,B1,C2,01 - 01,C2,B1,28,BA,2B,40,00 - 126,858,528,000,000,00001/01/2004 - 12:00 AM = 00,00,F2,32,FA,CF,C3,01 - 01,C3,CF,FA,32,F2,00,00 - 127,173,888,000,000,00003/21/2004 - 12:00 AM = 00,00,FE,73,D7,0E,C4,01 - 01,C4,0E,D7,73,FE,00,00 - 127,243,008,000,000,000To save time in calculating this value use ntdate.exeOperating System NameNTCode2000 Professional2000 Server2000 Server with Active DirectoryXP HomeXP Professional2003 Server2003 Server with Active Directory5.05.05.05.22p2s2axhxp3s3aThe codes in the table to the left are used in the below table in the far right column.Treat the OS column as an approximate guide as it depends on the configuration of the OS.The 2 character code eg, WD is used in the policy infs or security templates.Where - is used, there is no 2 character code, the SID is used instead.Users RIDs can be from 1000 or 1100 depending which OS is installed/upgraded. The hexidecimal code is used in the registry, NTFS and services permissions plus user groups.Everyone -CREATOR OWNER -CREATOR GROUP -DIALUP -NETWORK -BATCH -INTERACTIVE -SERVICE -ANONYMOUS LOGON -PROXY -ENTERPRISE DOMAIN CONTROLLERS -SELF -Authenticated Users -RESTRICTED -TERMINAL SERVER USER -REMOTE INTERACTIVE LOGON -This Organization -SYSTEM -LOCAL SERVICE -NETWORK SERVICE -Administrator (builtin) -Guest (builtin) -krbtgt -Domain Admins -Domain Users -Domain Guests -Domain Computers -Domain Controllers -Schema Admins -Cert Publishers -Enterprise Admins -Group Policy Creator Owners -RAS and IAS Servers -DHCP Administrators -DHCP Users -DnsAdmins -DnsUpdateProxy -HelpAssistant -HelpServicesGroup -SUPPORT_xxxxxxxx -ASPNET -ILS_ANONYMOUS_USER -IUSR_%machinename% -IWAM_%machinename% -IIS_WPG -NetShow Administrators -NetShowServices -TelnetClients -Terminal Server Computers -TsInternetUser -WINS Users -WMUS_%machinename% -%Specific User% -%Custom Group% -Administrators -Users -Guests -Power Users -Account Operators -Server Operators -Print Operators -Backup Operators -Replicator -Pre-Windows 2000 Compatible AccessRemote Desktop Users -Network Configuration Operators -Incoming Forest Trust Builders -Performance Monitor Users -Performance Log Users -Windows Authorization Access GroupTerminal Server License Servers -NTLM Authentication -SChannel Authentication -Digest Authentication -Other Organization -WDCOCG-NU-IUSU-EDPSAURC-SYLSNSLALG-DADUDGDCDDSACAEAPARS-BABUBGPUAOSOPOBORERURDNO-S-1-1-0 -S-1-3-0 -S-1-3-1 -S-1-5-1 -S-1-5-2 -S-1-5-3 -S-1-5-4 -S-1-5-6 -S-1-5-7 -S-1-5-8 -S-1-5-9 -S-1-5-10 -S-1-5-11 -S-1-5-12 -S-1-5-13 -S-1-5-14 -S-1-5-15 -S-1-5-18 -S-1-5-19 -S-1-5-20 -S-1-5-21-%SID%-500 -S-1-5-21-%SID%-501 -S-1-5-21-%SID%-502 -S-1-5-21-%SID%-512 -S-1-5-21-%SID%-513 -S-1-5-21-%SID%-514 -S-1-5-21-%SID%-515 -S-1-5-21-%SID%-516 -S-1-5-21-%SID%-518 -S-1-5-21-%SID%-517 -S-1-5-21-%SID%-519 -S-1-5-21-%SID%-520 -S-1-5-21-%SID%-553 -S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-&SID%-%RID%S-1-5-21-&SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-21-%SID%-%RID%S-1-5-32-544 -S-1-5-32-545 -S-1-5-32-546 -S-1-5-32-547 -S-1-5-32-548 -S-1-5-32-549 -S-1-5-32-550 -S-1-5-32-551 -S-1-5-32-552 -S-1-5-32-554 -S-1-5-32-555 -S-1-5-32-556 -S-1-5-32-557 -S-1-5-32-558 -S-1-5-32-559 -S-1-5-32-560 -S-1-5-32-561 -S-1-5-64-10 -S-1-5-64-14 -S-1-5-64-21 -S-1-5-1000 -01,01,000000000001,00000000-01,01,000000000003,00000000-01,01,000000000003,01000000-01,01,000000000005,01000000-01,01,000000000005,02000000-01,01,000000000005,03000000-01,01,000000000005,04000000-01,01,000000000005,06000000-01,01,000000000005,07000000-01,01,000000000005,08000000-01,01,000000000005,09000000-01,01,000000000005,0A000000-01,01,000000000005,0B000000-01,01,000000000005,0C000000-01,01,000000000005,0D000000-01,01,000000000005,0E000000-01,01,000000000005,0F000000-01,01,000000000005,12000000-01,01,000000000005,13000000-01,01,000000000005,14000000-01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,F401000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,F501000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,F601000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0002000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0102000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0202000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0302000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0402000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0602000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0502000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0702000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,0802000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,2902000001,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xx