1

In a sub-network of 30 PCs + 1 teacher PC, a PC has been shut down 2 times. I suspect a student to run some unfriendly "shutdown -i". I have connected myself on that PC (local admin mode) and I used eventvwr / windows log / system / filter 1074. I saw a trace of the 2 unexpected shutdowns, I checked if the IP address of the initiator was indicated, but no IP address was reported : "the process wininit.exe (00 00 00 00 ) has initiated the power off of computer ...".
(IP address was indicated only for the last shutdown initiated by the student before to leave).

  • How could I trace the IP address / or the user-id of the person who initiate these shutdowns?
  • Could WireShark on my PC be able to trace that IP address?

Thanks in advance, using my teacher PC, could I use WireShark to get

Pilot André
  • 11
  • 1
  • Hi, could it be the student that just do the restart to boot on a external device in exemple ? – yagmoth555 Sep 23 '19 at 17:22
  • Is shutdown not using rpc? Good luck finding this payload in the amount of COM traffic going around.What windwos version? This may be relevant because of of logging changes. – TomTom Sep 23 '19 at 17:32
  • As comment, using the teacher pc you can NOT use wireshark to see traffic between 2 computers - this is not how modern switches work, your pc never even sees the traffic because it is not forwarded to it. – TomTom Sep 23 '19 at 17:33
  • Note that you can't shut down a PC remotely unless you have administrator privilege, so I suspect you have misdiagnosed the cause of the incident. Perhaps a previous user of the machine initiated a shutdown with a long timeout period? – Harry Johnston Sep 23 '19 at 18:39
  • Thanks for your answers. No idea about a way to find the IP address of the PC that initiated the shutdown? As I cannot see anything from the PC that has been shutdown, is there anything I could see in the log of the PC that initiated the shutdown? – Pilot André Sep 23 '19 at 21:11
  • I tried this out briefly on my home machine and Windows did not record any log entries when the shutdown was scheduled. Sorry, I don't think there's any way to track down the offender retroactively. What you *can* do is change the local security policy to only allow administrators to shut down machines. The local user can still shut them down by logging out and using the shutdown button on the logon screen, but the `shutdown` command won't work. – Harry Johnston Sep 24 '19 at 02:36

0 Answers0