PsShutdown help needed!
It looks like one of our lovely students has PsShutdown on a usb key and is using it to restart PCs around the site. So far I have 108 suspects - all the students who were logged on when it happened.
Looking at the Event Log on one of the machines restarted shows that it was PsShutdown that was used.
Suggestions please as to how I can track down where it was done and by whom. We're running WK2003 with XP Pro clients.
I'd love to block usb ports but school says no.
Thanks for any help! Much appreciated!
What about a software restriction policy that blocks it by file hash for the security group?
Edit: Monday morning-should have read more carefully! Not sure you'll be able to without auditing software. Might be best off interrogating likely suspects?
I've never used psShutdown before. Does it require a client to be installed on all the machines? And if so, then I presume you use psShutdown to turn the computers off at the end of the day.
Get rid of psShutdown and just use the built in XP shutdown command on a schedule. I'm fairly sure you need to be an administrator to shut down remote computers on the domain (unless itís a client side prog).
Or, write a script that searches users USB pens for exe files periodically, you'll get them eventually.
Could be worse..could be Beyondexec. I tend to use that to great effect.
If you don't need them to use command line then you could just disable access to the command prompt, it's on group policy somewhere
That way they can't even bring their own command prompt on a usb stick because it won't run even from there
Does the event log show where the shutdown originated as it does if you use the microsoft tool. You could turn the security audit on for all events it may pick up the originating user in there somewhere.
I'm concerned it worked with them not needing an admin account to connect to the remote PC and execute.
We use a software restriction policy to ban all exe, cmd, vbs, lnk etc files on any drive but C:. This stops students running file from pen drives, or using shortcuts to launch file on the PCs. Not had nay problems so far, touch wood!
We use Psshutdown here and it executes remotely but 'does' require an admin password to shutdown a client. I'd be much more concerned that either they know your local admin password or worse a domain one or it's blank.
Yeah, we've changed the admin passwords so we're still scratching our heads over how they've managed to do it.
Originally Posted by cookie_monster
Did you change the local admin passwords? If so i'd look into changing all of the domain accounts that have admin rights.
There is a 'Force shutdown from remote system' policy but it is admins only by default it might be worth checking that the users group hasn't been added by accident.
It's possible that if someone did know an admin password that they've changed security settings on all/many of your machines (or more simply!) just created another admin account.
As far as I know, you can't use psshutdown to access a remote machine without having an admin account. You can try it for yourself - just log on as an ordinary student and try and run psshutdown against another machine (if you block access to the command prompt then you can generally run exe files via a macro in Word)
Ok just checked and you should see something in the event log.
Look for Event ID 7035 in the system log, it will tell you the user account that was used. It's quite a common event code so you might need to filter the results, this is the text i see in the info box "The PsShutdown service was successfully sent a start control."
I believe when you first launch psShutdown it presents you with a EULA screen (much of the software, if not all, made available by Sysinternals acts in this manner). Because this screen is only presented to you when you first launch the application this may mean that it stores some value in the users registry acknowledging that you had agreed to the EULA. It may be possible for you to track down this registry key and then somehow search the registry of all 109 users that you have identified. The last part is a BIG job, but there's probably some way of automating it. If it worked (no guarantees) it would at least tell you what user had at some point launched psShutdown which would probably violate your AUP.
Here's what i found on my system, I was having a similar issue, more so my other administrators playing pratical jokes.
In the security logs, look for event ID "4674" task category "sensitive privilage use"
there may be multiple entries of this particular log and i'm currently looking how to narrow it down, but i digress. In the General tab in the bottom window it will state "an operation was attemted on a privileged object" and under SUBJECT, it will give you the security ID and account name of the account that executed the psshutdown. Under OBJECT it will have object name "psshutdownsvc". Doesn't list the computer name that executed, but you'll at least get a user name.
This thread seems kind of old, but if anyone is looking for how to find the culprit as i was, hope this helps.
"you speak out of turn, but the truth spills from your mouth"