+ Post New Thread
Results 1 to 14 of 14
Windows Thread, PsShutdown help needed! in Technical; It looks like one of our lovely students has PsShutdown on a usb key and is using it to restart ...
  1. #1

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,131
    Thank Post
    1,907
    Thanked 1,342 Times in 741 Posts
    Blog Entries
    3
    Rep Power
    395

    PsShutdown help needed!

    It looks like one of our lovely students has PsShutdown on a usb key and is using it to restart PCs around the site. So far I have 108 suspects - all the students who were logged on when it happened.

    Looking at the Event Log on one of the machines restarted shows that it was PsShutdown that was used.

    Suggestions please as to how I can track down where it was done and by whom. We're running WK2003 with XP Pro clients.

    I'd love to block usb ports but school says no.

    Thanks for any help! Much appreciated!

  2. #2

    Join Date
    Jan 2007
    Location
    oop north
    Posts
    131
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    What about a software restriction policy that blocks it by file hash for the security group?

    Edit: Monday morning-should have read more carefully! Not sure you'll be able to without auditing software. Might be best off interrogating likely suspects?
    Last edited by leon; 21st April 2008 at 09:45 AM.

  3. #3
    richard.thomas's Avatar
    Join Date
    Sep 2007
    Posts
    491
    Thank Post
    5
    Thanked 11 Times in 10 Posts
    Rep Power
    16
    I've never used psShutdown before. Does it require a client to be installed on all the machines? And if so, then I presume you use psShutdown to turn the computers off at the end of the day.

    Get rid of psShutdown and just use the built in XP shutdown command on a schedule. I'm fairly sure you need to be an administrator to shut down remote computers on the domain (unless itís a client side prog).

    Or, write a script that searches users USB pens for exe files periodically, you'll get them eventually.

  4. #4
    Sirbendy's Avatar
    Join Date
    Nov 2005
    Posts
    2,298
    Thank Post
    8
    Thanked 202 Times in 153 Posts
    Rep Power
    109
    Could be worse..could be Beyondexec. I tend to use that to great effect.

  5. #5
    cromertech's Avatar
    Join Date
    Dec 2007
    Location
    Cromer by the coast
    Posts
    731
    Thank Post
    177
    Thanked 109 Times in 97 Posts
    Rep Power
    54
    If you don't need them to use command line then you could just disable access to the command prompt, it's on group policy somewhere

    That way they can't even bring their own command prompt on a usb stick because it won't run even from there

    Does the event log show where the shutdown originated as it does if you use the microsoft tool. You could turn the security audit on for all events it may pick up the originating user in there somewhere.
    Last edited by cromertech; 21st April 2008 at 10:10 AM.

  6. #6


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,680
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    I'm concerned it worked with them not needing an admin account to connect to the remote PC and execute.

  7. #7
    altecsole's Avatar
    Join Date
    Jun 2005
    Location
    Morecambe, Lancashire, UK.
    Posts
    281
    Thank Post
    39
    Thanked 36 Times in 26 Posts
    Rep Power
    25
    We use a software restriction policy to ban all exe, cmd, vbs, lnk etc files on any drive but C:. This stops students running file from pen drives, or using shortcuts to launch file on the PCs. Not had nay problems so far, touch wood!

  8. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    We use Psshutdown here and it executes remotely but 'does' require an admin password to shutdown a client. I'd be much more concerned that either they know your local admin password or worse a domain one or it's blank.

  9. #9

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,131
    Thank Post
    1,907
    Thanked 1,342 Times in 741 Posts
    Blog Entries
    3
    Rep Power
    395
    Quote Originally Posted by cookie_monster View Post
    We use Psshutdown here and it executes remotely but 'does' require an admin password to shutdown a client. I'd be much more concerned that either they know your local admin password or worse a domain one or it's blank.
    Yeah, we've changed the admin passwords so we're still scratching our heads over how they've managed to do it.

  10. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Did you change the local admin passwords? If so i'd look into changing all of the domain accounts that have admin rights.


    There is a 'Force shutdown from remote system' policy but it is admins only by default it might be worth checking that the users group hasn't been added by accident.
    Last edited by cookie_monster; 21st April 2008 at 11:16 AM.

  11. #11

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    It's possible that if someone did know an admin password that they've changed security settings on all/many of your machines (or more simply!) just created another admin account.

    As far as I know, you can't use psshutdown to access a remote machine without having an admin account. You can try it for yourself - just log on as an ordinary student and try and run psshutdown against another machine (if you block access to the command prompt then you can generally run exe files via a macro in Word)

  12. #12
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Ok just checked and you should see something in the event log.

    Look for Event ID 7035 in the system log, it will tell you the user account that was used. It's quite a common event code so you might need to filter the results, this is the text i see in the info box "The PsShutdown service was successfully sent a start control."
    Last edited by cookie_monster; 21st April 2008 at 11:44 AM.

  13. #13

    Join Date
    Apr 2008
    Location
    New Jersey
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    tech_guy,

    I believe when you first launch psShutdown it presents you with a EULA screen (much of the software, if not all, made available by Sysinternals acts in this manner). Because this screen is only presented to you when you first launch the application this may mean that it stores some value in the users registry acknowledging that you had agreed to the EULA. It may be possible for you to track down this registry key and then somehow search the registry of all 109 users that you have identified. The last part is a BIG job, but there's probably some way of automating it. If it worked (no guarantees) it would at least tell you what user had at some point launched psShutdown which would probably violate your AUP.

  14. #14

    Join Date
    Feb 2010
    Location
    rapid city
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Here's what i found on my system, I was having a similar issue, more so my other administrators playing pratical jokes.

    In the security logs, look for event ID "4674" task category "sensitive privilage use"

    there may be multiple entries of this particular log and i'm currently looking how to narrow it down, but i digress. In the General tab in the bottom window it will state "an operation was attemted on a privileged object" and under SUBJECT, it will give you the security ID and account name of the account that executed the psshutdown. Under OBJECT it will have object name "psshutdownsvc". Doesn't list the computer name that executed, but you'll at least get a user name.

    This thread seems kind of old, but if anyone is looking for how to find the culprit as i was, hope this helps.

    "you speak out of turn, but the truth spills from your mouth"

SHARE:
+ Post New Thread

Similar Threads

  1. Serious help needed!
    By MK-2 in forum Windows
    Replies: 7
    Last Post: 7th August 2007, 12:44 PM
  2. Needed...
    By russdev in forum General EduGeek News/Announcements
    Replies: 0
    Last Post: 30th July 2007, 10:11 PM
  3. RAM help needed!
    By richbeck2 in forum Hardware
    Replies: 5
    Last Post: 18th July 2007, 06:53 PM
  4. GUI and some help needed
    By MK-2 in forum Windows
    Replies: 4
    Last Post: 1st March 2007, 05:18 PM
  5. advice needed on weather a new server is needed
    By projector1 in forum Hardware
    Replies: 3
    Last Post: 24th February 2006, 09:20 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •