Title: Security Accounts Manager | Author: clark@hushmail.com | Last updated: 3rd April 2005
This article is based primarily on a local default setup of NT5.0 Professional or 2K (Windows 2000), however there maybe additional verified references to XP Professional and Server Editions. Much will apply across the NT range, but not all has been verified. Note that this is a partial update from the orginal version, there will be more additions, I just thought it was time to consolidate some stuff. This article has been written concisely and progressively, it is advisable not to skim read. Some stuff is advanced, use a test machine where possible.
Special thanks to: (alphabetically ordered)
esrever_otua: For pointing out something which I had missed about group memberships.
fishy5: For coding XORCheck.exe which calculates the registry hive checksum.
mirrorshades: For inspiring a hash database space optimzation technique
rattle: For coding ntdate.exe which calculates the NT time format and the LastPolicyTime; a couple of programs for the #DAD8636F687BF15B
section and for working on the LM Hash Decoder V1/V2 projects.
Serg Wasilenkow: For working on the LM Hash Decoder V1/V2 projects.
Vladimir Katalov: For the PWSEx product key and working on the LM Hash Decoder V1/V2 projects.
xavic: For inspiring a hash database space optimzation technique
Due to length and my decision not to divide this article into separate pages I have split the article into 4 main chapters.
01. Users and Groups
02. (some) Security Settings
03. Registry Structure
04. Passwords
Within these chapters are sections divided by a dotted horizontal line. To the left of this line is an image like so:  These are anchors.
If you right-click on them you can copy the shortcut/link address or left-click (IE only) and add it directly to your bookmarks.
These bookmarks may change so I have used random hex as the link - make sure you name the link appropriatley.
Users can be added via a MMC with the "Local Users and Groups" Snap-in being present (Windows includes two such MMCs; compmgmt.msc and lusrmgr.msc) or via the [Add...] button in "Users and Passwords" - found in Control Panel. (Active Directory is configured via the Active Directory Users and Computers Snap-in or dsa.msc) Also via CMD: C:\>net user %username% /add
Another way that is usually forgotten is the Network Identification Wizard that shows up once when installing the 2K operating system. On running it checks the current users, normally just Guest and Administrator and it also checks the RegisteredOwner value located here: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ that was just entered earlier in the setup. If an account has not been created for the user listed, an administrative level one can be created here. Note you cannot overwrite passwords of existing accounts. To re-trigger this dialog, boot from Petter Nordahl-Hagen's boot disk:
Load the SOFTWARE hive
Cd to \Microsoft\Windows NT\CurrentVersion\
Ed RegisteredOwner value; if an account is already created by that name or if a different one is required.
Cd to \Winlogon\
Nv 4 RunNetAccessWizard
Ed RunNetAccessWizard = 0x1
On reboot keep the selection on Windows always assumes the following user has logged onto this computer: user name from dropdown list should be the RegisteredOwner, enter a password, next, finish. The user will be automatically logged on. Remember to uncheck: Users must enter a user name and password to use this computer. In the Users and Password in Control Panel. Also remember that since this method uses the secure autologon feature any existing autologon credentials will be overwritten, this will probably not be a problem however.
This method also works in XP, however the process is alittle more complex. If there are three or more Administrator/(power)users accounts collectivily present, users cannot be added via the re-triggered dialog, this is likely to be the case, hence you have to make it believe otherwise. If there are two or less, skip the SAM editing sections. Boot from Petter Nordahl-Hagen's boot disk:
Load the SAM and SYSTEM hives
Cd to \SYSTEM\Setup\
Ed SetupType = 0x2
Ed CmdLine = c:\windows\system32\oobe\msoobe.exe /f /retail (FYI: Just /f = full setup; license, key, activation & users)
Nv 4 OobeInProgress
Ed OobeInProgress = 0x1
Switch to the SAM hive.
Cd to \SAM\SAM\Domains\Builtin\Aliases\00000220\C (Administrators)
Cd to \SAM\SAM\Domains\Builtin\Aliases\00000221\C (Users)
Cd to \SAM\SAM\Domains\Builtin\Aliases\00000223\C (Power Users)
Make a note of the 4 bytes at offset 2C and 30, check the first user number in 00000220 after the description is F4,01,00,00 (most likely)
Edit the C values at both offsets for 00000220 & 00000221 with 00,00,00,00 - for 00000223: :2c 18 00 00 00 & :30 02 00 00 00
Save and reboot. Add a user (upto five can be added here, all at administratove level) and logon with that user name using a blank password. Run regedit.exe and write back the 00000221 and 00000223 C values. Amend the 00000220 C key, make a note of the new user number that has overwritten the orginal (F4,01,00,00) one, restore to orginal and add a similar 28 byte entry at the end in the nulls provided with the current user number after the machine SID. Reboot to complete.
Another unorthodox method is to run the net command as a service. Boot from Petter Nordahl-Hagen's boot disk and load the SYSTEM hive. cd to \CurrentControlSet001\Services\ create a two keys for the two commands. The editor seems to have a slight bug in that keys cannot be created that are prefixed with an existing service name, eg: error on creating a key named foobar if a key named foo exists. Remember that the services will be processed in alphabetical order.
Cd in the first alpha newly created key.
Nv 4 ErrorControl
Ed ErrorControl = 0x1
Nv 2 ImagePath
Ed ImagePath = %systemroot%\system32\net.exe user foo /add
Nv 1 ObjectName
Ed ObjectName = LocalSystem
Nv 4 Start
Ed Start = 0x2
Nv 4 Type
Ed Type = 0x20
Cd in the second alpha newly created key.
Repeat the steps above, but with:
Ed ImagePath = %systemroot%\system32\net.exe localgroup administrators foo /add
Reboot and login, remove the keys. 2K creates a couple of system error event log so this may need removing.
One method that is often mentioned, that does not seem to work (anymore(?)) is changing the default screensaver to a program that allows usermanagement like cmd.exe or mmc.exe The settings are located here:
regedit.exe -> \HKEY_USERS\.DEFAULT\Control Panel\Desktop\
explorer.exe -> \%windir%\system32\config\DEFAULT
SCRNSAVE.EXE=logon.scr - This is the screensave that will be used if nobody logs on locally for awhile.
ScreenSaveActive=1 - Active=1 Inactive=0
ScreenSaveTimeOut=600 - Number of idle seconds before screensaver activation (5mins)
ScreenSaverIsSecure=0 - This is the "On resume, password protect" option. Curious this option though, some kind of memory limit if set to 0. Important to note if more memory is used.
However even if you update logon.scr the SYSTEM user, which is who you will be while the "Winlogon generic control dialog" lurks in the background, does not have permission to add or modify any users - System error 5 has occured
Access is denied. If a user logs on, SYSTEM does have access, so some kind of security assumed before logon. It maybe possible using a custom program, certainly with access to regedit.exe a user could be added manually.
The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexidecimal form from here:
regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12 bytes)
explorer.exe -> \%windir%\system32\config\SAM
If the SAM file is missing at startup, a backup is retrieved in hexidecimal form here:
regedit.exe -> \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes)
explorer.exe -> \%windir%\system32\config\SECURITY
Sometimes the SID number is referenced in decimal form:
|
|
| 2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B | |
| 1) Divide the bytes into 3 sections: | |
| 2E,43,AC,40 , C0,85,38,5D , 07,E5,3B,2B | |
| 2) Reverse the bytes of each section: | |
| 40,AC,43,2E , 5D,38,85,C0 , 2B,3B,E5,07 | |
| 3) Convert each section into decimal: | |
| 1085031214 , 1563985344 , 725345543 | |
| 4) Add the machine SID prefix: | |
| S-1-5-21-1085031214-1563985344-725345543 | | S-1-5-21-1085031214-1563985344-725345543 - This is the machine SID number in decimal format.
NT stored time format is referenced in user keys, registry hives etc. The precision is to a very small fraction of a second from 1601.
100,000 = one millisecond
10,000,000 = one second
600,000,000 = one minute
36,000,000,000 = one hour
864,000,000,000 = one day
date time debug view reversed view decimal
01/01/1601 - 12:00 AM = 00,00,00,00,00,00,00,00 -> 00,00,00,00,00,00,00,00 -> 0
01/01/2000 - 12:00 AM = 00,40,6D,25,EB,53,BF,01 -> 01,BF,53,EB,25,6D,40,00 -> 125,911,584,000,000,000
01/01/2001 - 12:00 AM = 00,C0,9D,C8,85,73,C0,01 -> 01,C0,73,85,C8,9D,C0,00 -> 126,227,808,000,000,000
01/01/2002 - 12:00 AM = 00,80,64,41,57,92,C1,01 -> 01,C1,92,57,41,64,80,00 -> 126,543,168,000,000,000
01/01/2003 - 12:00 AM = 00,40,2B,BA,28,B1,C2,01 -> 01,C2,B1,28,BA,2B,40,00 -> 126,858,528,000,000,000
01/01/2004 - 12:00 AM = 00,00,F2,32,FA,CF,C3,01 -> 01,C3,CF,FA,32,F2,00,00 -> 127,173,888,000,000,000
03/21/2004 - 12:00 AM = 00,00,FE,73,D7,0E,C4,01 -> 01,C4,0E,D7,73,FE,00,00 -> 127,243,008,000,000,000
To save time in calculating this value use ntdate.exe
|
|
|
|
2000 Professional
2000 Server
2000 Server with Active Directory
XP Home
XP Professional
2003 Server
2003 Server with Active Directory | |
|
| |
|
The codes in the table to the left are used in the below table in the far right column.
Treat the OS column as an approximate guide as it depends on the configuration of the OS.
The 2 character code eg, WD is used in the policy infs or security templates.
Where -> is used, there is no 2 character code, the SID is used instead.
Users RID's can be from 1000 or 1100 depending which OS is installed/upgraded.
The hexidecimal code is used in the registry, NTFS and services permissions plus user groups. |
Everyone -------------------------
CREATOR OWNER --------------------
CREATOR GROUP --------------------
DIALUP ---------------------------
NETWORK --------------------------
BATCH ----------------------------
INTERACTIVE ----------------------
SERVICE --------------------------
ANONYMOUS LOGON ------------------
PROXY ----------------------------
ENTERPRISE DOMAIN CONTROLLERS ----
SELF -----------------------------
Authenticated Users --------------
RESTRICTED -----------------------
TERMINAL SERVER USER -------------
REMOTE INTERACTIVE LOGON ---------
This Organization ----------------
SYSTEM ---------------------------
LOCAL SERVICE --------------------
NETWORK SERVICE ------------------
Administrator (builtin) ----------
Guest (builtin) ------------------
krbtgt ---------------------------
Domain Admins --------------------
Domain Users ---------------------
Domain Guests --------------------
Domain Computers -----------------
Domain Controllers ---------------
Schema Admins --------------------
Cert Publishers ------------------
Enterprise Admins ----------------
Group Policy Creator Owners ------
RAS and IAS Servers --------------
DHCP Administrators --------------
DHCP Users -----------------------
DnsAdmins ------------------------
DnsUpdateProxy -------------------
HelpAssistant --------------------
HelpServicesGroup ----------------
SUPPORT_xxxxxxxx -----------------
ASPNET ---------------------------
ILS_ANONYMOUS_USER ---------------
IUSR_%machinename% ---------------
IWAM_%machinename% ---------------
IIS_WPG --------------------------
NetShow Administrators -----------
NetShowServices ------------------
TelnetClients --------------------
Terminal Server Computers --------
TsInternetUser -------------------
WINS Users -----------------------
WMUS_%machinename% ---------------
%Specific User% ------------------
%Custom Group% -------------------
Administrators -------------------
Users ----------------------------
Guests ---------------------------
Power Users ----------------------
Account Operators ----------------
Server Operators -----------------
Print Operators ------------------
Backup Operators -----------------
Replicator -----------------------
Pre-Windows 2000 Compatible Access
Remote Desktop Users -------------
Network Configuration Operators --
Incoming Forest Trust Builders ---
Performance Monitor Users --------
Performance Log Users ------------
Windows Authorization Access Group
Terminal Server License Servers --
NTLM Authentication --------------
SChannel Authentication ----------
Digest Authentication ------------
Other Organization --------------- | |
WD
CO
CG
->
NU
->
IU
SU
->
->
ED
PS
AU
RC
->
->
->
SY
LS
NS
LA
LG
->
DA
DU
DG
DC
DD
SA
CA
EA
PA
RS
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
BA
BU
BG
PU
AO
SO
PO
BO
RE
RU
RD
NO
->
->
->
->
->
->
->
->
-> | |
S-1-1-0 ------------
S-1-3-0 ------------
S-1-3-1 ------------
S-1-5-1 ------------
S-1-5-2 ------------
S-1-5-3 ------------
S-1-5-4 ------------
S-1-5-6 ------------
S-1-5-7 ------------
S-1-5-8 ------------
S-1-5-9 ------------
S-1-5-10 -----------
S-1-5-11 -----------
S-1-5-12 -----------
S-1-5-13 -----------
S-1-5-14 -----------
S-1-5-15 -----------
S-1-5-18 -----------
S-1-5-19 -----------
S-1-5-20 -----------
S-1-5-21-%SID%-500 -
S-1-5-21-%SID%-501 -
S-1-5-21-%SID%-502 -
S-1-5-21-%SID%-512 -
S-1-5-21-%SID%-513 -
S-1-5-21-%SID%-514 -
S-1-5-21-%SID%-515 -
S-1-5-21-%SID%-516 -
S-1-5-21-%SID%-518 -
S-1-5-21-%SID%-517 -
S-1-5-21-%SID%-519 -
S-1-5-21-%SID%-520 -
S-1-5-21-%SID%-553 -
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-&SID%-%RID%
S-1-5-21-&SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-21-%SID%-%RID%
S-1-5-32-544 -------
S-1-5-32-545 -------
S-1-5-32-546 -------
S-1-5-32-547 -------
S-1-5-32-548 -------
S-1-5-32-549 -------
S-1-5-32-550 -------
S-1-5-32-551 -------
S-1-5-32-552 -------
S-1-5-32-554 -------
S-1-5-32-555 -------
S-1-5-32-556 -------
S-1-5-32-557 -------
S-1-5-32-558 -------
S-1-5-32-559 -------
S-1-5-32-560 -------
S-1-5-32-561 -------
S-1-5-64-10 --------
S-1-5-64-14 --------
S-1-5-64-21 --------
S-1-5-1000 --------- | |
01,01,000000000001,00000000---------------------------------
01,01,000000000003,00000000---------------------------------
01,01,000000000003,01000000---------------------------------
01,01,000000000005,01000000---------------------------------
01,01,000000000005,02000000---------------------------------
01,01,000000000005,03000000---------------------------------
01,01,000000000005,04000000---------------------------------
01,01,000000000005,06000000---------------------------------
01,01,000000000005,07000000---------------------------------
01,01,000000000005,08000000---------------------------------
01,01,000000000005,09000000---------------------------------
01,01,000000000005,0A000000---------------------------------
01,01,000000000005,0B000000---------------------------------
01,01,000000000005,0C000000---------------------------------
01,01,000000000005,0D000000---------------------------------
01,01,000000000005,0E000000---------------------------------
01,01,000000000005,0F000000---------------------------------
01,01,000000000005,12000000---------------------------------
01,01,000000000005,13000000---------------------------------
01,01,000000000005,14000000---------------------------------
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,F4010000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,F5010000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,F6010000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,00020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,01020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,02020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,03020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,04020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,06020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,05020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,07020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,08020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,29020000
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,05,000000000005,15000000,xxxxxxxxxxxxxxxxxxxxxxxx,xxxxxxxx
01,02,000000000005,20000000,20020000------------------------
01,02,000000000005,20000000,21020000------------------------
01,02,000000000005,20000000,22020000------------------------
01,02,000000000005,20000000,23020000------------------------
01,02,000000000005,20000000,24020000------------------------
01,02,000000000005,20000000,25020000------------------------
01,02,000000000005,20000000,26020000------------------------
01,02,000000000005,20000000,27020000------------------------
01,02,000000000005,20000000,28020000------------------------
01,02,000000000005,20000000,2A020000------------------------
01,02,000000000005,20000000,2B020000------------------------
01,02,000000000005,20000000,2C020000------------------------
01,02,000000000005,20000000,2D020000------------------------
01,02,000000000005,20000000,2E020000------------------------
01,02,000000000005,20000000,2F020000------------------------
01,02,000000000005,20000000,30020000------------------------
01,02,000000000005,20000000,31020000------------------------
01,02,000000000005,40000000,0A000000------------------------
01,02,000000000005,40000000,0E000000------------------------
01,02,000000000005,40000000,15000000------------------------
01,01,000000000005,E8030000--------------------------------- | |
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
------2a----------3a
------2a----------3a
------2a----------3a
2p,2s,2a,xh,xp,3s,3a
------2a----------3a
2p,2s,2a,xh,xp,3s,3a
---------xh,xp,3s,3a
------------------3a
2p,2s,2a,xh,xp,3s,3a
---------xh,xp,3s,3a
---------xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
------2a----------3a
---------xh,xp------
---------xh,xp,3s,3a
---------xh,xp,3s,3a
2p,2s,2a,xh,xp------
------2a------------
---2s,2a----xp,3s,3a
---2s,2a----xp,3s,3a
---------------3s,3a
------2a------------
------2a------------
---------------3s,3a
------------------3a
---2s,2a------------
------2a------------
------------------3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a,xh,xp,3s,3a
2p,2s,2a----xp,3s,3a
------2a----------3a
------2a----------3a
------2a-------3s,3a
2p,2s,2a----xp,3s,3a
2p,2s,2a----xp,3s,3a
------2a----------3a
------------xp,3s,3a
------------xp,3s,3a
------------------3a
---------------3s,3a
---------------3s,3a
------------------3a
------------------3a
------------------3a
------------------3a
------------------3a
------------------3a | |
|
| When a user is added, the following keys are added: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\%username%\@ This key determines the login name. File location: C:\WINNT\system32\config\SAM The @ value holds a number which matches up to a 8 digit number (nulls are prefixed if less than 8) located here: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%00000XXX%\ Within are two REG_BINARY values; F and V.
As mentioned before user numbers start from 1000. There are a couple of builtin accounts that start from 500. Since security permissions are determined by user number, no two users should ever have the same number. User number increment and are not reused when a user is deleted. A record of this is kept here: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F Offset:48 - length:4 - Stored in reverse hex. This is the next user number that will be used. When is value reaches FF,FF,FF,FF it will rollback and starting incrementing from 00,00,00,00. 4,294,967,296 maximum accounts. Note that if a large number of accounts are used, a rather high spec machine will be required to make it viable.
All user numbers are also listed here: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Groups\00000201\C
After: NoneOrdinary users - lists the user numbers at the end, like a group C value.
Offset: 3C - length: 4bytes = length of user list (reverse hex)
Offset: 40 - length: 4bytes = number of users (reverse hex)
The system allocates 100 byte blocks that hold 25 user accounts 4 byte usernumber, padded with nulls if not all used.
User 00,00,00,00 cannot logon: Logon Message
The system cannot log you on due to the following error:
The system cannot find the message text for message number 0x%1 in the message file for %2.
Please try again or consult your system administrator. Due to the way the registry is handled at hex level, user accounts 00,00,00,00 to 00,00,00,0B do not display their \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\%username%\@ value type correctly:
00/00 - REG_NONE
01/01 - REG_SZ*
02/02 - REG_EXPAND_SZ
03/03 - REG_BINARY*
04/04 - REG_DWORD
05/05 - REG_DWORD_LITTLE_ENDIAN
06/06 - REG_LINK
07/07 - REG_MULTI_SZ
08/08 - REG_RESOURCE_LIST
09/09 - REG_FULL_RESOURCE_DESCRIPTOR
10/0A - REG_RESOURCE_REQUIREMENTS_LIST
11/0B - REG_QWORD
On attempting to delete accounts 0-999: Local Users and Groups
The following error occurred while attempting to delete the user %username:
Cannot perform this operation on builtin-in accounts.
If the user counter has the same number as an existing user (this should not *normally* happen) the following error message is shown: Local Users and Groups
The following error occured while attempting to create user %username% on computer %computername%
The user already belongs to this group. (More help is available by typing NET HELPMSG 2236)
User 00,00,01,F6 (502) cannot logon: Logon Message
Your account has been disabled. Please see your system administrator. This is because this usernumber is already used by the system, krbtgt = Key Distribution Center Service Account - though I thought this was only for server edition. The account is disabled/inactive and cannot be enabled.
|
| Windows XP by default uses a fluffy welcome screen to logon users. This can be bypassed to the normal one by holding down the Ctrl and Alt/Alt Gr keys and pressing the Del/Delete key twice. To switch off long term see Users Accounts in Control Panel: Change the way users log on or off. The list of users that is displayed in the Welcome screen is of note:
# Disabled/inactive accounts are not listed
# If there are no other administrators the built-in is listed, else it is not listed
# Administrators, Guests, Power Users & Users are listed
# Backup Operators, helpservicesgroup, Network Configuration Operators, Remote Desktop Users & Replicator are not listed
# User of no groups and users only member of custom groups are not listed
# In safe mode only <=2 administrators are listed, first two alphabetically from \SAM\SAM\Domains\Account\Users\Names\
\Security Settings\Local Policies\User Rights Assignment\Deny logon locally = user not listed
# Upto 100 users can be displayed, first alphabetically, as before, though things get alittle sluggish:
# \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonType=X fluffy=1 classic=0
# Specific users or users preffixed with something can be set so not to be listed, the record is here:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\%username%:REG_DWORD
0x0 = exact match or 0x10000 = prefixed match
|
| If the username in \%RID%\V does not matchup with the key name in \Names\%username% the dialog "Users and Passwords" in Control Panel does not list the username. On attempting to get the users properties in lusrmgr.msc it will error with: Local Users and Groups
The following error occurred while attempting to read the properties for the user %username%:
The user name could not be found. If you rename the account back to the orginal one, a new key is created in \Names\ - as a result of having two name keys with the same user number, both can be used to logon with. lusrmgr.msc does not list any users at this point while CMD always lists the users.
2K has an interesting minor problem with the Users and Password dialog in Control Panel creating an account using the local machine name for a username. On clicking finish, it will error with: "The user %username% could not be (granted %username% access _or_ added to the %groupname% group) because %username% does not exist" However the user is created of no group. XP and 2K3 will not allow a machine name to be set to Administrator or Guest at install.
|
| It is possible to create a user that does not appear at all in the user management and yet still be able to logon. In this proof-of-concept I have used group policy user logon/off scripts and insecure registry permissions, ideally this would be deployed via a small program running at system level. Create a user and export and combine these two keys into a reg file and place in the logoff scripts folder:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%usernumber%
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\%username%
Copy over the "Command-line registry manipulation utility" reg.exe to the system32 directory.
Create a logon script:
reg delete HKLM\SAM\SAM\Domains\Account\Users\Names\%username% /force
reg delete HKLM\SAM\SAM\Domains\Account\Users\%usernumber% /force
Create a logoff script: regedit /s user.reg
Add the scripts via gpedit.msc \Local Computer Policy\User Configuration\Windows Settings\Scripts(Logon/Logoff)
When a user logs on the user keys are removed, so the user is not seen. At logoff they are added back. Since the authentication process occurs before the keys are deleted and held in memory the user can authenticate correctly.
|
|
User names:
C:\>net user %username% /add (can be rename via GUI, not via CMD)
Have to be >=1 and <=20. Cannot be dublicated of any existing users or groups of any case, can contain letters, numbers, special, extended and control characters. If the username or password is incorrect at logon the following error message will be displayed: Logon Message
The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords, must be typed using the correct case. Make sure that Caps Lock is not accidently on. |
Password:
C:\>net user %username% %password% - have to be >=0 and <= 256
C:\>net user %username% * (for private password entry, confirmation required to set - 3 fails: A valid password was not entered) |
Full names:
C:\>net user %username% /fullname:%fullname% - have to be >=0 and <=48CMD/256GUI |
Descriptions/Comment:
C:\>net user %username% /comment:%description% - have to be >=0 and <=48CMD/256GUI
User's comment:
C:\>net user %username% /usercomment:%usercomment% - have to be >=0 and <=48CMD/NOGUI |
Country code:
C:\>net user %username% /country:XXX
C:\>net user %username% /countrycode:XXX
Where XXX can be:
000 (System Default)
001 (United States)
002 (Canada (French))
003 (Latin America)
031 (Netherlands)
032 (Belgium)
033 (France)
034 (Spain)
039 (Italy)
041 (Switzerland)
044 (United Kingdom)
045 (Denmark)
046 (Sweden)
|
047 (Norway)
049 (Germany)
061 (Australia)
081 (Japan)
082 (Korea)
086 (China (PRC))
088 (Taiwan)
099 (Asia)
351 (Portugal)
358 (Finland)
785 (Arabic)
972 (Hebrew) |
Not sure what this affects, not displayed time or keyboard though |
Account active/Account is enabled or disabled:
C:\>net user %username% /active:yes/y/no/n
Logon Message
Your account has been disabled. Please see your system administrator. |
Account expires:
C:\>net user %username% /expires:never
C:\>net user %username% /expires:31/12/2004 (prefixed time of 12:00 AM)
Logon Message
Your account has expired. Please see your system administrator. |
Password last set:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EF\F:18-length:8bytes Stored NT time format |
Password expires:
Obtained from: \Security Settings\Account Policies\Password Policy\Maximum password age
Logon Message
Your password has expired and must be changed.
A dialog appears to change the password, once completed(if allowed) logon commences. Builtin Administrator and Guest accounts never expire. |
Password changeable:
Obtained from: \Security Settings\Account Policies\Password Policy\Minimum password age = X days (0 = immediate) |
Password required:
C:\>net user %username% /passwordreq:yes/y/no/n
Unsure what this option is for. (If set to no, then the password for the user must be blank or the user will not be able to logon - an error as if incorrect username or password was attempted.) |
User may change password:
C:\>net user %username% /passwordchg:yes/y/no/n
This can deny a logon if the password expires, error:
Change Password
You do not have permission to change your password. |
Workstations allowed:
C:\>net user foo /workstations:%computername%
C:\>net user foo /workstations:%computername1%;%computername2%,%computername3%
C:\>net user foo /workstations: (all)
Maximum of 8 workstations allowed of >=1 & <=15 character in length
Logon Message
Your account is configured to prevent you from using this computer. Please try another computer. |
Logon script:
have to be >=0 and <=259 C:\>net user %username% /scriptpath:%folder\script.bat/cmd%
Script paths are made relative to this folder: C:\WINNT\System32\repl\import\scripts\ |
User profile:
have to be >=0 and <=259CMD/260GUI C:\>net user %username% /profilepath:%C:\folder or \\machine\folder%
This option is for roaming profiles only! Does not check if the machine name length <=15
By default user profiles determined here: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
REG_SZ:AllUsersProfile = The name of the folder for profile shared stuff (All Users)
REG_SZ:DefaultUserProfile = The name of the "template" profile folder used for newly logged on users (Default User)
REG_EXPAND_SZ:ProfilesDirectory = Where the profiles and the above folders are stored (%SystemDrive%\Documents and Settings)
Each user that has a profile stored will have a subkey within this key in the form \%SID-RID%\
REG_EXPAND_SZ:ProfileImagePath = Location of the users profile. - This not set by the net command!
This can be edited to point to different profiles.
Profiles can either be Local or Roaming. Local are stored in a fixed location and are normally used by standalone machines with a couple of users. Roaming copies a profile from a different location to the local ProfilesDirectory. At logoff this is copied back. Roaming profiles are normally used on domains whereby a user may logon to different machines and keep the same profile.
User profiles are stored in a folder called X, where X follows this order if existing folders already exist:
%username%
%username%.%machinename%
%username%.%machinename%.XXX - where XXX is >=000 and <=999. The system scans up decimally for the first available number. If all these are taken this error shows at logon: User Environment
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Temporary folders follow this order, if existing folders already exist:
TEMP
TEMP.%machinename%
TEMP.%machinename%.XXX - where XXX is >=000 and <=999, the system scans up decimally for the first available number
If all these are take this error shows at logon: User Environment
Windows cannot create a temporary profile directory. Contact your network administrator.
DETAIL - The system cannot find the file specified. Next dialog is very similar: Windows cannot log you on because the profile cannot be loaded. Contact your network administrator. The user is returned to the logon screen. If an adminstrative level account, they are logged on under the default profile for the system. This situation is not likely to occur however. |
Home directory:
C:\>net user %username% /homedir:c:\foo2
Have to be >=0 and <=259CMD/247GUI
GUI can alternatively map a logical drive letter to a remote share >=0 and <=259 \\%machinename%\%sharename% |
Last logon:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%userno%\F:offset8/length8 stored NT time format. |
Logon hours allowed:
C:\>net user %username% /times:all
Sunday = su, sunday
Monday = m, monday
Tuesday = t, tuesday
Wednesday = w, wednesday
Thursday = th, thursday
Friday = f, friday
Saturday = s, sa, saturday
/times:%day%,%time%-%time%;%day%,%time%-%time% - eg: s,9am-5pm;su,9am-12pm or m-f,9am-1pm;m-f,2pm-5p
/times:%day%-%day%,%time%-%time% - eg: m-f,9am-5pm
If logon is attempted outside of allowed logon times: Logon Message
Your account has time restrictions that prevent you from logging on at this time. Please try again later.
3 bytes are assigned for each day of the week:
|01,02,03,04,05,06,07,08,09,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
|FF,FF,FF|FF,FF,FF|FF,FF,FF|FF,FF,FF|FF,FF,FF|FF,FF,FF|FF,FF,FF|00,01,00
| Sunday | Monday |Tuesday |Wednesda|Thursday| Friday |Saturday|Unknown
Add for combinations:
FF,FF,FF = All times
01,00,00 = 12am-01am (midnight)
02,00,00 = 01am-02am
04,00,00 = 02am-03am
08,00,00 = 03am-04am
10,00,00 = 04am-05am
20,00,00 = 05am-06am
40,00,00 = 06am-07am (morning)
80,00,00 = 07am-08am
00,01,00 = 08am-09am
00,02,00 = 09am-10am
00,04,00 = 10am-11am
00,08,00 = 11am-12pm (noon) |
00,10,00 = 12pm-01pm (noon)
00,20,00 = 01pm-02pm
00,40,00 = 02pm-03pm
00,80,00 = 03pm-04pm
00,00,01 = 04pm-05pm
00,00,02 = 05pm-06pm (evening)
00,00,04 = 06pm-07pm
00,00,08 = 07pm-08pm
00,00,10 = 08pm-09pm
00,00,20 = 09pm-10pm
00,00,40 = 10pm-11pm
00,00,80 = 11pm-12am (midnight)
00,00,00 = Not this day | |
|
| regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%RID%\F (fixed length, 80)
explorer.exe -> \%windir%\system32\config\SAM
 Password never expire - 0=secpoltime 2=never
For some unknown reason this value is set to 4 on a lockout and 0 on unlocking. If the password is set never to expire the option to force the user to change their password on next logon is greyed out.
2/3/6/7/A/B/E/F=Password never expires (2=GUI setting)
0/2/8/A=logonokay
1/3/5/7/9/B/D/F=Logon Message
The system can not log you on due to the following error:
The account used is a server trust account. Use your global user account or local user account to access this server.
Please try again or consult your system administrator.
4/6/C/E=logonokay - reset to X-4 though. |
 Last logon - stored NT time format, nulls if never logged on
 Password last set - stored NT time format, nulls if not changed
 Account expires - stored NT time format, nulls if set not to expire
 Last incorrect password - stored NT time format, nulls if not
 User Number - stored in reverse hex
 Unsure - 0/2/6/8/A/C/E=pwd/username invalid
1/3/4=logonokay
5/7/D/F=Logon Message
The system can not log you on due to the following error:
The account used is an interdomain trust account. Use your global user account or local user account to access this server.
Please try again or consult your system administrator.
9/B=Logon Message
The system can not log you on due to the following error:
The account used is a computer account. Use your global user account or local user account to access this server.
Please try again or consult your system administrator.
 Account active - 0=active 1=not active.
Password required - 0=yes 4=no
0/2/4/6/8/A/C/E=logonokay - 1/2/5/7/9/B/D/F=accountdisabled/inactive
 Country code - stored in reverse hex
 Invalid pwd count - stored in reverse hex, reset after a correct logon
 No. of logons - stored in reverse hex, gets stuck at FF,FF |
|
| regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%RID%\V (variable length, 424+)
explorer.exe -> \%windir%\system32\config\SAM
In this anontation the 1st and 3rd section are shown first because they relate to each other, refer to the hex offset on the left.
 |
The first 12 bytes of the value are unknown, probably section headers
The first 4 bytes of each entry refer to the location of the entry relative to offset:CC Stored in reverse hex
The second 4 bytes refer to the entry length. Space allocated is rounded up to nearest multiple of 4 bytes, ignore the surplus data. Stored in reverse hex
The third 4 bytes are unknown
Username
Fullname
Comment
User comment
 Unknown entry
Homedir
 Homedirconnect
Scriptpath |
Profilepath
Workstations
Hours allowed
Unknown entry
 LM password hash
NT password hash
 Unknown entry
 Unknown entry | | |
 |
 |
This is the middle section of the V value. The first 52 bytes are unknown
No. of permissions (example:4)
Permission: Everyone
Permission: Administrators
Permission: Account Operators
Permission: User in question
2x Administrators group SID (unknown reason)
The 14, 18, 24 (convert to decimal) in the first block of 4 bytes of the user/group permission are believed to state the entry length.
The second 4 byte block holds the user/group permissions. If these settings follow similar storage methods to security settings then each nibble holds 8 combinations, additions of 1, 2, 4 & 8. Not all these options are known.
5B,03,02 = Everyone
44,00,02 = User in question
FF,07,0F = Account Operators & Administrators = full control?
00,00,00 = No permissions
5B,01,00 = List user details
FF,01,00 = Change user settings
FF,01,01 = Delete user
CMD: System error 5 has occurred.
Access is denied.
MSC: Local Users and Groups
The following error occurred while attempting to read user/group properties: Access is denied.
The full user/group sid is stated in the last section |
|
| By default new users are added to the Users group. There are 6 built-in localgroups in 2K: Administrators, Backup Operators, Guests, Power Users, Replicator & Users. XP added Network Configuration Operators, Remote Desktop Users & HelpServicesGroup. They are listed here: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Names\%groupname% where a subkey's value points to: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000XXX\C which holds details about the group. Not all details are known at this point, however the group name, description/comment and groups members are stored here.
Alias name C:\>net localgroup %groupname% /add - can be >=1 and <=256CMD/254GUI only the first 25 characters are displayed at CMD. Some problems are encounter with longer groups names. Group names can be renamed to 255 characters via GUI, however it does error with: Local Users and Groups
The following error occurred while attempting to rename the group %groupname%:
One or more input parameters are invalid. However the group name will be renamed. On attempting to access the group similar errors occur and on attempting to delete the group, this explanation is given: An invalid Active Directory pathname was passed. Strange since AD is not installed. At CMD any groupname >25 cannot be deleted: The user or group account specified cannot be found.
More help is available by typing NET HELPMSG 3963. Adding users to a 254 length groups seems to trigger network activity, the user is added and can be removed via GUI though. CMD however can handle adding/deleting user to 255/256 length group names, if deletion is attempted in GUI the following error occurs: Local User and Groups
One or more errors occurred while recording group membership changes for user %username%.
Comment/Description C:\>net localgroup %groupname% /comment:"%comments%" >=0 and <=256GUI/2,133CMD which is basically limited by CMD's 2,170 buffer input handling. GUI can render such a comment and rename, but only to a shorter length.
There is also another record stored here: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\%dec_SID%\%hex_RID%\ In 2K the default value can be view correctly in regedt32 by Displaying Binary Data. This value simply lists the groups in hex that each respective user is a member of. Local Groups are for workstations, Global Groups are for servers. Custom groups are added here: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Aliases\Names\%groupname%\ and follow a similar pattern.
|
| regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Aliases\%RID%\C (variable length) (custom groups)
regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000220\C (variable length) (builtin groups)
explorer.exe -> \%windir%\system32\config\SAM
 |
Group key offsets are relative from 34
The group(user) number
Group name
Group description
Length of user entires (reverse hex)
Number of users (reverse hex)
Number of group permissions
Permission: Everyone
Permission: Administrators
Permission: Account Operators
2x Administrators group SID (unknown reason)
Group membership represented by their SID
Group permissions are similar to user permissions:
0C,00,02 = Everyone
1F,00,0F = Administrators
1F,00,0F = Account Operators
1F,00,0F = Power users
09,00,00 = List group (cmd will list the group on 00 permissions)
0D,00,00 = List group members
0F,00,00 = Add/remove group members (all newly created users are added to the users group)
1F,00,00 = Edit groupname/comment (msc only. 1f,00,01 = for cmd edit) |
The main security settings are configurated with secpol.msc or via "Security Configuration and Analysis" in a MMC. Here you can configure directly or import security templates. You can also use Group Policy or gpedit.msc -> \Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\ - this is the same thing and any settings are stored in the normal database and not the Registry.pol files in C:\WINNT\system32\GroupPolicy\(Machine/User)\ The security settings are stored in a separate database (*.sdb) and then written from there to various parts of the registry. The builtin one is located: C:\WINNT\security\Database\secedit.sdb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\
"LastPolicyTime"=dword:XXXXXXXX Where X = the number of minutes since 1st Jan 1980. (12797280 = 12:00AM - 1st May 2004) To save time in calculating this value use ntdate.exe This value is created on first altering security settings after install. It is then updated to the current time, when the security settings are refreshed/written. This will occur when closing a dialog on editing settings or at startup if the time stored is in the future or more than 16 hours behind the current time: Applying security policy... (just before logon) An event; SceCli is logged under the Application Log when this occurs at startup. You can also update via command line with C:\>secedit /refreshpolicy machine_policy /enforce
[System Access] (F0,3F,FE)
secpol.msc -> \Account Policy\Password Policy\ and \Account Policy\Account Lockout Policy\
regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F
explorer.exe -> \%windir%\system32\config\SAM
 |
Auto-increment
Maximum password age (>=0 & <=999)days
Reverse bytes, minus from qword:ff + 1 = seconds x 10 million
Minimum password age (>=0 & <=998)days
Reverse bytes, minus from qword:ff + 1 = seconds x 10 million
Account lockout duration (>=0 & <=99,999)minutes
Reverse bytes, minus from qword:ff + 1 = seconds x 10 million
Reset account lockout counter after (>=1 & <=99,999)minutes
Reverse bytes, minus from qword:ff + 1 = seconds x 10 million
Next created users RID (mentioned in the users and groups section)
Store password using reversible encryption for all user in the domain(enabled=1/disabled=0)
Password must meet complexity requirements (enabled=1/disabled=0)
Minimum password length (>=0 & <=14)characters (in hex)
Enforce password history (>=0 & <=24)passwords remembered (in hex)
Account lockout threshold (>=0 & <=999)attempts (revsere hex)
Part of syskey (mentioned in the passwords section) |
|
| [Event Audit] (26,40,FE)
secpol.msc -> \Local Policies\Audit Policy\@
regedit.exe -> \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv\@
explorer.exe -> \%windir%\system32\config\SECURITY
01 if any audits are enabled, if none: 00
Unsure: 2K=FF0600 XP=000700 - reset to nulls |
Audit system events
Audit logon events
Audit object access
Audit privilege use
Audit process tracking
Audit policy change
Audit account management
Audit directory service access
Audit account logon events
No. of policies: 9 - reset if removed
|
The type of policy applied is determined where X = setting, as defined below:
|
[Privilege Rights](00,40,FE)
secpol.msc -> \Local Policies\User Rights Assignment\
explorer.exe -> \%windir%\system32\config\SECURITY
This group of settings are stored in two locations/formats:
regedit.exe -> \HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\%SID%\ActSysAc\@
A simple fixed 4 byte hex value - add for combinations
regedit.exe -> \HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\%SID%\Privilgs\@
A variable length hex value, of the following layout:
 |
The first byte states the number of the privilges; followed by 7 nulls
Privilege: Shut down the system
Privilege: Bypass traverse checking
Privilege: Remove computer from docking station
Each privilege is stored in a 12 byte block. The first byte states the privilege followed by 11 nulls. The privileges do not appear to be stored in any order |
Access this computer from the network ------------------------
Act as part of the operating system --------------------------
Add workstations to domain -----------------------------------
Adjust memory quotas for a process ---------------------------
Allow logon through Terminal Services ------------------------
Back up file and directories ---------------------------------
Bypass traverse checking -------------------------------------
Change the system time ---------------------------------------
Create a pagefile --------------------------------------------
Create a token object ----------------------------------------
Create a global objects --------------------------------------
Create permanent shared objects ------------------------------
Debug programs -----------------------------------------------
Deny access to this computer from the network ----------------
Deny logon as a batch job ------------------------------------
Deny logon as a service --------------------------------------
Deny logon locally -------------------------------------------
Deny logon through Terminal Services -------------------------
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system --------------------------
Generate security audits -------------------------------------
Impersonate a client after authentication --------------------
Increase quotas ----------------------------------------------
Increase scheduling priority ---------------------------------
Load and unload device drivers -------------------------------
Lock pages in memory -----------------------------------------
Log on as a batch job ----------------------------------------
Log on as a service ------------------------------------------
Log on locally -----------------------------------------------
Manage auditing and security log -----------------------------
Modify firmware environment values ---------------------------
Perform volume maintenance tasks -----------------------------
Profile single process ---------------------------------------
Profile system performance -----------------------------------
Remove computer from docking station -------------------------
Replace a process level token --------------------------------
Restore files and directories --------------------------------
Shut down the system -----------------------------------------
Synchronize directory service data ---------------------------
Take ownership of file or other objects ---------------------- | |
senetworklogonright -------------
setcbprivilege ------------------
semachineaccountprivilege -------
seincreasequotaprivilege --------
seremoteinteractivelogonright ---
sebackupprivilege ---------------
sechangenotifyprivilege ---------
sesystemtimeprivilege -----------
secreatepagefileprivilege -------
secreatetokenprivilege ----------
secreateglobalprivilege ---------
secreatepermanentprivilege ------
sedebugprivilege ----------------
sedenynetworklogonright ---------
sedenybatchlogonright -----------
sedenyservicelogonright ---------
sedenyinteractivelogonright -----
sedenyremoteinteractivelogonright
seenabledelegationprivilege -----
seremoteshutdownprivilege -------
seauditprivilege ----------------
seimpersonateprivilege ----------
seincreasequotaprivilege --------
seincreasebasepriorityprivilege -
seloaddriverprivilege -----------
selockmemoryprivilege -----------
sebatchlogonright ---------------
seservicelogonright -------------
seinteractivelogonright ---------
sesecurityprivilege -------------
sesystemenvironmentprivilege ----
semanagevolumeprivilege ---------
seprofilesingleprocessprivilege -
sesystemprofileprivilege --------
seundockprivilege ---------------
seassignprimarytokenprivilege ---
serestoreprivilege --------------
seshutdownprivilege -------------
sesyncagentprivilege ------------
setakeownershipprivilege -------- | |
ActSysAc
Privilgs
Privilgs
Privilgs
ActSysAc
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Actsysac
Actsysac
Actsysac
Actsysac
ActSysAc
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
ActSysAc
ActSysAc
ActSysAc
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs
Privilgs | |
02,00,00,00
07
06
05
00,04,00,00
11
17
0C
0F
02
1E
10
14
80,00,00,00
00,01,00,00
00,02,00,00
40,00,00,00
00,08,00,00
1B
18
15
1D
05
0E
0A
04
04,00,00,00
10,00,00,00
01,00,00,00
08
16
1C
0D
0B
19
03
12
13
1A
09 | |
2p,xp
2p,xp
2p,xp
---xp
---xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
---xp
2p,xp
2p,xp
2p,xp
2p,xp
2p---
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
---xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp
2p,xp | |
|
| [Registry Values](2C,40,FE)
secpol.msc -> \Local Policies\Security Options\
regedit.exe -> Various locations
explorer.exe -> \%windir%\system32\config\SAM|SOFTWARE|SYSTEM
Additional restrictions for anonymous connections
None. Rely on default permissions = 0
Do not allow enumeration of SAM accounts and shares = 1
No access without explicit anonymous permissions = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"restrictanonymous"=dword:0000000X
Allow Server Operators to schedule tasks (Domain Controllers Only)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"submitcontrol"=dword:0000000X
Allow system to be shutdown without having to log on
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"ShutdownWithoutLogon"="X"
Allowed to eject removable NTFS media
Administrators = 0
Administrators and Power Users = 1
Administrators and Interactive Users = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"allocatedasd"="0"
Amount of idle time required before disconnecting session (>=0 & <=99999)minutes (0 = Do not disconnect clients)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\"autodisconnect"=dword:000XXXXX
Audit the access of global system objects
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"auditbaseobjects"=dword:0000000X
Audit use of Backup and Restore privilege
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"fullprivilegeauditing"=hex:0X
Automatically log off user when logon time expires(local)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\"enableforcedlogoff"=dword:0000000X
Clear virtual memory pagefile when system shuts down
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\"ClearPageFileAtShutdown"=dword:0000000X
Digitally sign client communication (always)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\"requiresecuritysignature"=dword:0000000X
Digitally sign client communication (when possible)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\"enablesecuritysignature"=dword:0000000X
Digitally sign server communication (always)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\"requiresecuritysignature"=dword:0000000X
Digitally sign server communication (when possible)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\"enablesecuritysignature"=dword:0000000X
Disable CTRL+ALT+DEL requirement for logon
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"disablecad"=dword:0000000X
Do not display last username in logon screen
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"dontdisplaylastusername"=dword:0000000X
LAN Manager Authentication Level
Send LM & NTLM responses = 0
Send LM & NTLM - user NTLMv2 session security if negotiated = 1
Send NTLM response only = 2
Send NTLMv2 response only = 3
Send NTLMv2 response only\refuse LM = 4
Send NTLMv2 response only\refuse LM & NTLM = 5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"lmcompatibilitylevel"=dword:0000000X
Message title for user attempting to log on
(>=1 & <=16,383)characters | - bug(?) dialog = 30,000, if over 16,383 characters removes all/most security values within the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"legalnoticetext"="X"
Message title for users attempting to log on
(>=1 & <=16,383)characters | - bug(?) dialog = 30,000, if over 16,383 characters removes all/most security values within the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"legalnoticecaption"="X"
Number of previous logons to cache (in case domain controller is not available)
(>=1 & <=50) logons (0 = Do not cache logons)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"cachedlogonscount"="X"
Prevent system maintenance of computer account password
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"DisablePasswordChange"=dword:0000000X
Prevent users from installing printer drivers
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\servers\"addprinterdrivers"=dword:0000000X
Prompt user to change password before expiration
(>=0 & <=999)days
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"passwordexpirywarning"=dword:00000XXX
Recovery Console: Allow automatic administrative logon
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\"SecurityLevel"=dword:0000000X
Recovery Console: Allow floppy copy and access to all drives and all folders
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\"SetCommand"=dword:0000000X
Rename administrator account
(>=1 & <=20)characters | - bug(?) dialog = 30,000 (cannot be any existing group/user names)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4\V ("towards the end")
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\%username%
Rename guest account
(>=1 & <=20)characters | - bug(?) dialog = 30,000 (cannot be any existing group/user names)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5\V ("towards the end")
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\%username%
Restrict CD-ROM access to locally logged-on user only
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"allocatecdroms"="X"
Restrict floppy access to locally logged-on user only
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"allocatefloppies"="X"
Secure channel: Digitally encrypt or sign secure channel data (always)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"requiresignorseal"=dword:0000000X
Secure channel: Digitally encrypt secure channel data (when possible)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"sealsecurechannel"=dword:0000000X
Secure channel: Digitally sign secure channel data (when possible)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"signsecurechannel"=dword:0000000X
Secure channel: Require strong (Windows 2000 or later) session key
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"requirestrongkey"=dword:0000000X
Send unencrypted password to connect to third-party SMB servers
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\"enableplaintextpassword"=dword:0000000X
Shutdown system immediately if unable to log security audits
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"crashonauditfail"=dword:0000000X
Smart card removal behaviour
No Action = 0
Lock Workstation = 1
Force Logoff = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"scremoveoption"="X"
Strengthen default permissions of global system objects (e.g. Symbolic Links)
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\"ProtectionMode"=dword:0000000X
Unsigned driver installation behaviour
Silently succeed = 0
Warn but allow installation = 1
Do not allow installation = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing\"Policy"=hex:0X
Unsigned non-driver installation behavior
Silently succeed = 0
Warn but allow installation = 1
Do not allow installation = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\"Policy"=hex:0X
|
| secpol.msc -> \Event Log\Settings for Event Logs\
regedit.exe -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\(Application/Security/System)\
explorer.exe -> \%windir%\system32\config\SYSTEM
[Application Log](24,40,FE) | [Security Log](22,40,FE) | [System Log](20,40,FE)
Maximum log size for (Application/Security/System) Log (>=64 & <=4,194,240)KBytes | 64byte Increment
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\(Application/Security/System)\"MaxSize"=dword:XXXXXXXX
Restrict Guest access to (Application/Security/System) Log
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\(Application/Security/System)\"RestrictGuestAccess"=dword:0000000X
Retain (Application/Security/System) Log
(>=1 & <= 365)days (stored in seconds, only visable if Retention method is by days)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\(Application/Security/System)\"Retention"=dword:0XXXXXXX
Retention method for (Application/Security/System) Log
Overwrite events by days = As above (days * seconds)
Overwrite events as needed = 0
Do no overwrite events (clean log manually) = FFFFFFFF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\(Application/Security/System)\"Retention"=dword:XXXXXXXX
[Event Audit](26,40,FE)
Shutdown system when security audit becomes full
Enabled = 1 or Disabled = 0
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtFL\@=hex(0):0X,00
|
| [Group Membership](08,40,FE)
secpol.msc -> \Restricted Groups\
regedit.exe -> Not defined here
explorer.exe -> \%windir%\security\Database\secedit.sdb
Listed are the groups: Administrators, Backup Operators, Guests, Power Users, Replicator & Users.
In the members tab users can be defined in the security database to belong to the respective group. When the security policy is applied the registry group membership is matched with the list in the database, hence if a new administrator is added to the machine, but not listed in the security policy, it will be removed on policy application. This setting is only defined in the security database.
In the Member of tab is the text: The groups to which this group belongs should not be modified. Unsure, this setting doesn't "seem" to work since local/custom groups cannot be added to local groups - DC only?
|
| [Service General Setting](2E,40,FE)
secpol.msc -> \System Services\
regedit.exe -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%Various%
explorer.exe -> \%windir%\system32\config\SYSTEM
Service startup mode (FYI: 0=boot, 1=system, 2=automatic 3=manual, 4=disabled, 5+=unknown)
2 = Automatic
3 = Manual
4 = Disabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%service%\"Start"=dword:0000000X
Service Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%service%\Security\"Security"=hex:01,00,14,80...
 |
Constant for all service security values
Length from start to the first SYSTEM SID at the end
Length from start to the second SYSTEM SID at the end
Header length
Length from beginning to start of permissions
The section(audit/permission) prefix, the second two bytes state the section length
The number of users/groups within the section
Audit: Everyone
Permission: SYSTEM
Permission: Administrators
Permission: Authenticated Users
Permission: Power Users
SYSTEM SID - unsure of purpose
The audit and permission entries hold several sections of data.
The third byte in the first dword holds the entry length.
The second dword holds the permission/audit setting: (add for combinations)
FF,01,0F,00 = Full Control
01,00,00,00 = Query template
02,00,00,00 = Change template
04,00,00,00 = Query status
08,00,00,00 = Enumerate dependents
10,00,00,00 = Start
20,00,00,00 = Stop
40,00,00,00 = Pause and continue
80,00,00,00 = Interrogate
00,01,00,00 = User-defined control
00,00,01,00 = Delete
00,00,02,00 = Read permissions
00,00,04,00 = Change permissions
00,00,08,00 = Take ownership
The section after the permissions is the respective user/group SID number.
After this is a dword - unsure of purpose. |
|
| [Registry Keys] 14,40,FE
secpol.msc -> \Registry\
regedit.exe -> Stored in SK values that are not actually viewable via regedit/regedt32 -> Security -> Permissions...
explorer.exe -> \%windir%\system32\config\(SAM/SECURITY/SOFTWARE/SYSTEM) and %USERPROFILE%\NTUSER.DAT
This part is explained in the registry structure section.
|
| [File Security] 18,40,FE
secpol.msc -> \File System\
regedit.exe -> Not stored here
explorer.exe -> Differs from NT4(NTFSv1.2) and 2k/XP(NTFSv3.0/3.1)
This is should possibly be expanded into a whole different article on NTFS, however here are afew brief details. In NT4 the privilege is stored within each respective $MFT entry. In 2K/XP each $MFT entry has a numbered permission assigned to it - all the permissions are stored in the $Secure file in numbered permission blocks. This allows multiple files to point to the same permission block, saving space. Storage format is very similar to other permissions with the first dword specifying the length, followed by the privilege and then the SID. If you are using XP home, use FaJo XP File Security Extension to view the settings in normal mode.
FF,01,1F,00 = Full Control
20,00,10,00 = Traverse Folder / Execute File
01,00,10,00 = List Folder / Read Data
80,00,10,00 = Read Attributes
08,00,10,00 = Read Extended Attributes
02,00,10,00 = Create Files / Write Data
04,00,10,00 = Create Folders / Append Data
00,01,10,00 = Write Attributes
10,00,10,00 = Write Extended Attributes
40,00,10,00 = Delete Subfolders and Files
00,00,11,00 = Delete
00,00,12,00 = Read Permissions
00,00,14,00 = Change Permissions
00,00,18,00 = Take Ownership
|
|
|
| Apart from the audit log(.Evt), EFS keys, file security, group policies(.pol), and security databases(.sdb), all security settings are stored in the registry. In the second table the filenames are with respect to the path and filenames in the first table. A&P is the number of unique audit and permission entries.
|
|
|
|
C:\WINNT\system32\config\default ------------------------------------------------------------------
C:\WINNT\system32\config\SAM ----------------------------------------------------------------------
C:\WINNT\system32\config\SECURITY -----------------------------------------------------------------
C:\WINNT\system32\config\software -----------------------------------------------------------------
C:\WINNT\system32\config\system -------------------------------------------------------------------
C:\WINNT\system32\config\userdiff -----------------------------------------------------------------
C:\Documents and Settings\%username%\NTUSER.DAT ---------------------------------------------------
C:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Default User\NTUSER.DAT ------------------------------------------------- | |
System profile ---------------
Users and Groups -------------
Security Settings ------------
User/OS software settings ----
Hardware settings & services -
Unsure, not loaded either? ---
Individual user settings -----
Empty and Unused? ------------
Default settings for new users | |
- 122,880
-- 20,480
-- 20,480
6,119,424
2,428,928
- 139,264
- 225,280
--- 8,192
- 118,784 | |
|
|
|
|
|
|
|
|
|
|
AppEvents, Console, Control Panel, Environment, Identities, Keyboard Layout,
Software, UNICODE Program Groups | |
|
|
|
|
|
|
|
|
|
| HKEY_LOCAL_MACHINE\SECURITY\ | |
|
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\
| |
|
Classes, Clients, INTEL, Microsoft, ODBC, Policies, Program Groups, Secure,
Voice, Windows 3.1 Migration Status | |
|
|
|
| HKEY_LOCAL_MACHINE\SYSTEM\ | |
|
| ControlSet001, ControlSet002, MountedDevices, Select, Setup | |
|
|
|
|
|
| 61 numbers ranging 1137 to 2138 | |
|
|
|
HKEY_CURRENT_USER\
HKEY_USERS\SID-RID\ | |
| | |
