cancerface Posted April 7, 2006 Author Share Posted April 7, 2006 (edited) Updated first post, bringing this guy to v.0.4 ...Got rid of the external applications used to set the password age and to change the computer name, and implemented WMI calls instead, added an option in the INI file to invoke the 'Confirm' dialog and finally added tooltips, for every control ... CF[Edit]Updated again to 0.4.1 (reverted to external tools since WMI was breaking the code at T13)Updated yet again to 0.5 combining both WMI and external tool calls depending on the system state (at T13 the external tools are used, otherwise WMI is used) Edited April 9, 2006 by cancerface Link to comment Share on other sites More sharing options...
cancerface Posted April 16, 2006 Author Share Posted April 16, 2006 Yet another update, check the first postMajor changes this time as I managed to figure out how to use direct API calls to netapi32 and kernell32 in order to create the user and change the computer name This means that there is no longer the need for any external tools or for native windows tools (such as net.exe and wmi.exe) ...I successfully tested this in a working XP box as well as during a deployment at T13.However the API code breaks in Windows 2k so I had removed the support for that OS until I can figure out another way to add the user to a group in 2k.v.0.6 Changelog- Added a check for OS type (will only run in XP/2K3)- Added a check for admin privileges- Added options to parse the computername/username sections- The computername is set using a direct kernel32 API call- The user is created using a direct netapi32 API call- Changed the interface and added a computer Icon CF Link to comment Share on other sites More sharing options...
cancerface Posted April 20, 2006 Author Share Posted April 20, 2006 After discovering a bug in v0.6 that would not add the created user to any group, I had to release a new version ... In the process I also managed to get this little tool to work in Windows 2000! So here is the new version ...(check first post)v.0.7 Changelog- Fixed nasty bug from 0.6 that wouldn't add the user to a group- Added support for Windows 2000- Added support for non english windows version (I hope ...)Enjoy!CF Link to comment Share on other sites More sharing options...
cancerface Posted April 29, 2006 Author Share Posted April 29, 2006 Following the discussion with DarkShadows in this thread I tried to implement the idea of securing the new administrator’s password using the LsaStorePrivateData method. It is a simple process if we want to create an account with admin privileges, since this new account will be able to access the stored encrypted password in an autologon scenario. Unfortunately this is not the case for a new, regular user, since the LsaStorePrivateData will only allow the creator of a secret and any members of the administrators group to read the secret. This means that in order to create a simple user and enable autologon without exposing his/her password as a clear text entry in the system registry then we would have to somehow create a login session for this user, impersonate him/her then encrypt and store the password.The LsaStorePrivateData method is not however perfect, as the information stored (DefaultPassword in our case) can be found in HKLM\SECURITY\Policy\Secrets\DefaultPassword. Since there are ways to dump the content of the above key and decrypt the data, I am currently looking for another way of encrypting the password, using the CryptProtectData function of Win2k/XP.In version v0.8 of this tool I have added support for the LsaStorePrivateData functionality. If you create a user with administrator’s privileges and enable autologon, the user’s password will not be stored in the registry as a clear text, but will be encrypted so that it will be more difficult for a non admin user to gain access to this information. In fact this is the process that TweakUI (XP) is using in order to store the DefaultPassword, used for autologon sessions, in the registry.v0.8 Changelog- Added support for LsaStorePrivateData functionality (password encryption for autologon)- Fixed a bug with user enumeration at T12Updated 1st post and uploaded the new versionCF Link to comment Share on other sites More sharing options...
Takeshi Posted May 1, 2006 Share Posted May 1, 2006 In fact this is the process that TweakUI (XP) is using in order to store the DefaultPassword, used for autologon sessions, in the registry.It looks like it's also the method the Run command control userpasswords2 uses at least in Win XP SP2. I tested this method in two machines and DefaultPassword is absent in the registry key.Good piece of work your program! Link to comment Share on other sites More sharing options...
cancerface Posted May 1, 2006 Author Share Posted May 1, 2006 Good piece of work your program!Thanks Takeshi, glad you like it I tested this method in two machines and DefaultPassword is absent in the registry key.Well, the DefaultPassword entry from HKLM\Software\Microsoft\Windows NT\WinLogon is missing (the clear-text password), but the Default password is in fact stored in the registry, encrypted, under the HKLM\SECURITY\Policy\Secrets\DefaultPassword key, which you need to manually access using admin privileges. In other words it is more secure than the clear text method, but not perfect, yet I am experimenting with another method suggested by M$ which is a bit more complicated but guarantees better encryption, as suggested in this MSDN page ...CF Link to comment Share on other sites More sharing options...
ZileXa Posted May 1, 2006 Share Posted May 1, 2006 What is PC description for? didn't even now Windows had this... seems useless to me! It would be great if I could set the Network name with your tool I use WIHU for now. Link to comment Share on other sites More sharing options...
cancerface Posted May 1, 2006 Author Share Posted May 1, 2006 What is PC description for? didn't even now Windows had this... seems useless to me!ControlPanel->System->Computer Name->Computer Description It's the description that appears when you browse a network for a certain computer ...It would be great if I could set the Network nameCan you elaborate a bit more on that? As far as I can see here my tool changes both the Physical NetBios and DNS hostname ... I am calling SetComputerNameEx for ComputerNamePhysicalNetBIOS and ComputerNamePhysicalDnsHostname ...Are you referring to a fully qualified domain name? Something like mypc.somewhere.com?CF Link to comment Share on other sites More sharing options...
ZileXa Posted May 2, 2006 Share Posted May 2, 2006 No I don't mean pc name, I mean Workgroup name, if you have a (wireless) network, the network musthave a name... right-click My computer, tab Computer Name, then the Modify button, now you can set a Workgroup name (or choose a domain name if the pc is in a domain but thats not for home users I suppose). Link to comment Share on other sites More sharing options...
cancerface Posted May 2, 2006 Author Share Posted May 2, 2006 @ZileXaThat's on my list of things to do I am using NetJoinDomain to add the workstation to a workgroup. I have to test a few things in non XP systems and then I'll release a new version.I am also working on including a list of known MACs in the INI file with references to specific computer names so that a name will be automatically picked up if a MAC address is detected ...CF Link to comment Share on other sites More sharing options...
cancerface Posted May 4, 2006 Author Share Posted May 4, 2006 (edited) I liked ZileXa's suggestion to add support for joining a workgroup so I uploaded yet another version of this tool bringing it to v0.9v.0.9 Changelog- Added new option to join the computer to a workgroup- Generate secure autologin password for non admin users (ie no clear text passwords in the registry)- Removed the 'ForceNewName' switch (not needed)- Fixed error that occured when enumerating users at T12 - Rewrote the administrator check code- Added an option to disable the timeoutUpdated the first post and uploaded version 0.9.Enjoy CF Edited May 4, 2006 by cancerface Link to comment Share on other sites More sharing options...
blinkdt Posted May 5, 2006 Share Posted May 5, 2006 Awesome app, CF. I plan on adding it to my unattended routine, no doubt.In my case, I rename the admin account via WINNT.sif and supply the password there as well. The install runs and boots to the Desktop, where I install other apps and such. A batch file then runs to capture the settings, copying them over to the Default User profile. I would like to use your tool at that point to create additional users so that, upon reboot, all of the users would appear on a Welcome Screen. So my questions:1. Is there anything that would prevent me from running the tool multiple times to create new users?2. To what group is the user added if the "Add to Admin group" is unchecked?Sorry but I have not had time to try your tool, I know the answers would present themselves at that time to me. But if you know off the top of your head...? Thanks in advance. Link to comment Share on other sites More sharing options...
cancerface Posted May 5, 2006 Author Share Posted May 5, 2006 (edited) Awesome app, CF. I plan on adding it to my unattended routine, no doubt.Glad you like it blinkdt 1. Is there anything that would prevent me from running the tool multiple times to create new users?Not at all. You would have to provide a new NewUser.ini file for each user that you wish to create. Set the EnableTimeOut to 1 and the TimeOut to something like 1000 (1 sec) then write new values for the [userInfo] section and execute the program again. Don't forget to add ParseComputerSection=0 after the first execution (you don't want to change the computer name/workgroup again!)2. To what group is the user added if the "Add to Admin group" is unchecked?It is the Users group or whatever name that group has in the system language.In my case, I rename the admin account via WINNT.sif and supply the password there as well. My idea was to use an encrypted password at WINNT.SIF for the administrator which means that autologon would not work, but then run the program at T12, create a new admin account and enable autologon so that the new password would not appear in the registry. This is not perfect of course since the password would still be as plain text in NewUser.ini (for now, at least).Although my intention was not to create a tool that would handle multiple, accounts this suggestion has come up twice so far. I am only creating one account at T12 with admin privileges and then RunOnce occurs in that account's namespace. The point of having the GUI is to be able to change that account's information in case I wanted to install on another computer.If however I had a list of standard users to be created I doubt that I would be using a GUI. I would go with oobe or with a simple batch script that would use net.exe commands to create the users.Another idea would be to leave the GUI with the option to generate one admin account and at the same time to add a switch that would force the program to parse yet another section (or sections) that would contain the details of other users to be created (who would belong to the Users group), without asking for these details via the GUI. I am open to suggestions CF Edited May 5, 2006 by cancerface Link to comment Share on other sites More sharing options...
razormoon Posted May 9, 2006 Share Posted May 9, 2006 (edited) This is something ive been looking for! Now only if i knew how to create multiple dif usersHas anyone tried this??Incredible little app I've been playing with for over 8 months...it can do anything from adding multiple users (along w/ password expiration, set 'primary user', set roaming profiles, set user specific registry entries, etc) to installing files. Pretty sweet, no?You can set it up to do only user setup, file setup or both. Edited May 9, 2006 by razormoon Link to comment Share on other sites More sharing options...
Joc Posted May 10, 2006 Share Posted May 10, 2006 (edited) I have a little problem with this nice utility. It cannot start at all! It says: "you do not have admin priviliges - aborting!".I have tried on win2k3 and on winxppro. Maybe the hungarian localization is the root of the problem?Joc Edited May 10, 2006 by Joc Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now