4

I'm a system administrator in a school. We have a classroom with 20 PC's in a domain, and all PC's use the same user to log in.

Sometimes students use the shutdown command to shut down the PC's of other studetns.

In the system event log of the PC that was shut down, I can find the event with ID 1074. The problem is that it only says the name of the user, which is the same for all 20 PC's. So I'm looking for the ip address or the computer name of the PC that sent the command, so I can identify the student.

Any suggestions? Or any other way of finding out who did it?

Thanks!

Johan Claes
  • 65
  • 2
  • 10
  • 3
    Give all the students A) Administrative control over all the computers and B) Anonymity by giving them all the same administrator account... what could go possibly go wrong? :) – Ryan Ries Feb 02 '16 at 13:43
  • They don't have admin rights, and I don't want to disable the shutdown command because i RDP to the PC's and use the shutdown command to reboot or shut down the machines. It's always a balancing act between comfort and security :) – Johan Claes Feb 02 '16 at 13:51
  • By default, only the Administrators group has the user right "Force shutdown from a remote system." – Ryan Ries Feb 02 '16 at 13:57
  • Its very rare that students would require full admin rights. My suggestion would be to change the user to a standard user and consider using the LAPS tool to generate and store unique local admin passwords in AD. – Jim B Feb 02 '16 at 14:13
  • 1
    Thanks for your input, but they are not administrators. Not on the local PC and not on the domain. And please, can we focus on the question here: I would like to know if it is possible (and how) to find the source of a remote shutdown command – Johan Claes Feb 02 '16 at 15:10
  • linux has "who" command. But windows does not. Windows does have "quser" and "net user", but if the user name is the same that may not help. However, netstat may provide an IP of an RDP user. If you set a script to dump that either on login or at shutdown to a log file ... bob's your uncle. – TheSatinKnight Sep 08 '21 at 23:06
  • If the students all use the same Credentials to log in to their computers, YOU should be using different credentials. Their user should NOT have RDP permission. They should require direct physical access to the computer for use. That way if something happens at a workstation, it's because the child sitting at that workstation "did it". – TheSatinKnight Sep 08 '21 at 23:10

1 Answers1

3

Converting my comments/thoughts into an answer.

It appears that you have given all of the students:

  • Administrative control over all the computers.
  • Anonymity by allowing them to all share the same admin account.

This is probably a suboptimal configuration in a typical classroom setting.

Although you claim that the students are not administrators on the computers, by default, only the Administrators group has the right to force the shutdown of a computer from a remote system. Check the User Rights Assignment category in your applicable local security policy or Group Policy:

User Rights Assignment

Now, to more directly answer your question, there is probably not enough forensic evidence left on the computer right now to determine what computer the shutdown command was issued from. It is possible to enable more logging that would allow you to capture these events in the future, but enabling such logging now won't help you find out what happened in the past. Specifically, the logging that I'm thinking of that would have helped you is in the Advanced Audit Policy section (these are just examples, not an exhaustive list)

  • Audit RPC Events
  • Audit Filtering Platform Connections (Windows Firewall)

Remote shutdown uses RPC, so that's sure to show something. And logging when Windows Firewall permits an inbound connection will absolutely give you an IP address. You would be able to correlate the events.

Here's a step-by-step guide on configuring Advanced Audit Policy:

https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Edit: Updating to confirm that as of Windows 8.1, the event log actually DOES include the IP address of the remote system that initiated the shutdown. (By default, without having to enable any additional logging.) But I do not know whether older versions of Windows include the IP address or not.

remote shutdown

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Ryan, the logged on user is always able to shutdown the computer. So if the pupils are logged on the computer with a shared account, I think it might be possible to remotely shutdown the computer without admin privileges as if he would sit right in front of it. – Daniel Feb 02 '16 at 15:24
  • OK, so the event log has 2 entries: one says winlogon shut the PC down, the other says it was explorer.exe so maybe it was not done by a shutdown command after all? I don't know, maybe I'll wait and see if it happens again anytime soon.. – Johan Claes Feb 02 '16 at 15:51
  • 1
    @Daniel Does not matter. Standard user can not force the shutdown of a remote system (`shutdown /m \\pc02 /s`) without having the "Force shutdown of the system remotely" user right on the computer that he wants to shut down, regardless of whether that same user account is simultaneously logged in locally. – Ryan Ries Feb 02 '16 at 16:28
  • @JohanClaes Just FYI, if the computer was truly shut down remotely (i.e. `shutdown /m \\pc02 /s) then the event will be logged in the System event log, ID 1074, "The process wininit.exe (IP Address!) has initiated the power off of computer pc02 on behalf of user domain\spiderman for the following reason..." I tested this using Windows 8.1 clients, and lo and behold it actually DOES supply the IP address of the remote system that shut the client down. However, I do not know if older versions of the OS record the IP address in the same way. – Ryan Ries Feb 02 '16 at 16:37
  • @JohanClaes Also, a remote shutdown would bear the process name wininit.exe, not Winlogon or Explorer. So it sounds like you did not actually experience a remote shut down after all. – Ryan Ries Feb 02 '16 at 16:41
  • Thanks guys, you are awesome! I now know everything I need to know about it. This will help me in the future, because every school year, a few guys discover the shutdown command, and play with it until we demonstrate to them that "we see everything" :) – Johan Claes Feb 02 '16 at 18:12