5

Some of my cleverer users are using the pstools suite to shutdown each others computers. I now know how to prevent them from doing so but is it possible that the pskill commands are being logged somewhere? While I know they're doing it I don't know exactly who it is.

These are WinXP Pro sp2 machines on a win 2003 network.

Phil
  • 153
  • 4
  • 1
    Seems you have an issue with the permissions on your network. Does every user really need to be a local administrator on every machine? I'd rather try to fix that issue instead of trying to log the usage of a single tool (there are more tools out there than pskill)... – 0xA3 Aug 06 '09 at 11:12
  • That's exactly what I'm going to do, but as I said I want to catch those responsible before I start restricting permissions. I don't need to log every tool out there, just this one for a couple of days. –  Aug 06 '09 at 11:37
  • @Phil - now that this is on server fault, make sure to link your account: http://blog.stackoverflow.com/2009/07/cross-site-account-associations/ – bdonlan Aug 06 '09 at 14:44

1 Answers1

2

Check the Event Viewer on a machine that you suspect was shutdown remotely. You should be able to find a log of the Shutdown command being given and it might have the user who issued the command. You may need to tweak some logging to get that (I know Server 2k3 logs WHO sent the command, not sure about XP).

Dustin
  • 465
  • 1
  • 4
  • 12
  • Eventvwr does log the shutdown commands but not who sent them unfortunately :( I was hoping that they'd be logged somewhere else but I don't think so. Guess I'll just have to nail down the machines and hope the guilty parties grow up. Thanks for your reply – Phil Aug 06 '09 at 14:57
  • 2
    Not exactly what I was looking for but if anyone is interested here's how I found them. HKEY_CURRENT_USER\Software\Sysinternals\PSKill\EulaAccepted = 1 : Means that they've excepted they EULA and this only happens if they've execute PSKill at least once. Same thing for the other PSTools. – Phil Aug 06 '09 at 16:44