Create auditbreak

auditbreak

@@ -0,0 +1,61 @@
+# Define the embedded REG content
+$regContent = @"
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
+"CmdLine"=""
+"OOBEInProgress"=dword:00000000
+"RestartSetup"=dword:00000000
+"SetupPhase"=dword:00000000
+"SetupType"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status]
+"AuditBoot"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\ChildCompletion]
+"setup.exe"=dword:00000003
+"oobeldr.exe"=dword:00000000
+"audit.exe"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus]
+"GeneralizationState"=dword:00000007
+
+[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\UnattendPasses]
+"oobeSystem"=dword:00000002
+"auditSystem"=dword:00000000
+"auditUser"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\AuditBootVolatile]
+
+"@
+
+# Define path for temporary REG file
+$tempRegPath = "$env:TEMP\AuditBreak.reg"
+
+# Write REG content to file
+$regContent | Out-File -FilePath $tempRegPath -Encoding ASCII
+
+# Check Audit Mode
+$auditKey = "HKLM\SYSTEM\Setup"
+$auditValue = "AuditInProgress"
+$auditStatus = Get-ItemProperty -Path $auditKey -Name $auditValue -ErrorAction SilentlyContinue
+
+if ($auditStatus.$auditValue -eq 1) {
+    Write-Host "Audit Mode enabled. Disabling it"
+
+    # Import the embedded REG file
+    reg import $tempRegPath
+    Write-Host "Registry settings applied."
+
+    # Run your command
+    $command = "net.exe user Administrator /active:yes"
+    Start-Process -FilePath $command -Wait
+    Write-Host "Command executed."
+} else {
+    Write-Host "Audit Mode is not active."
+}
+
+# Optional: Clean up
+Remove-Item $tempRegPath -Force
+Write-Host "Press any key to exit."
+$null = [System.Console]::ReadKey($true)