How to perform remotely a kill-switch on Windows 7?

windows windows-7 remote-access forensics

Solution 1:

You don't need to actually destroy the machine; just force it to shut down and lock out the user.

  • Run shutdown /m <machinename> /f /t 0 to force a computer shutdown.
  • Disable the Active Directory user account for the user.
  • Disable the Active Directory user account for the computer.

Just make sure to shut down the computer before disabling its account, otherwise you will be locked out from remote management because it will no longer be able to authenticate anyone against the domain, including yourself.

If the user also has a local user account on the target computer, you can disable it before performing the above steps; you can do so by starting the Computer Management MMC on any other computer as a domain administrator and connecting it remotely to the computer you want to manage; from there, you can also take any other necessary steps to make sure nobody can log in to the machine using local user accounts (such as disabling them or changing their passwords).

Side note: if this is for legal/compliance issues, this is a very strong reason to not change or delete anything on the machine; otherwise the user could later say (perhaps correctly) the machine has been tampered with; also, if you delete anything on the filesystem, you could lose valuable data (who can tell if the user has stored personal files or applications in system folders?).

Solution 2:

As I already said several times, if this is a forensics case I strongly advise you against doing anything different than physically going there and picking up the machine; tampering with it in any way is bound to invalidate any legal proof that could come from it.

That said, there are several ways to render a machine unbootable while damaging it as little as possible, depending on how the system is actually installed (the main differences being if the system is BIOS- or UEFI-based and if a boot partition is used vs. the boot files being stored on the system partition); here are some options:

  • Delete the contents of the boot partition and/or UEFI partition (usually hidden but you can mount it); or delete the boot files from the system partition, if no boot partition is in use.
  • Delete the file C:\bootmgr.
  • Alter the boot manager configuration using bcdedit.exe.
  • Alter the partition table to not have an active partition.

And so on; messing with the boot manager is usually the best way to render a system unbootable, while not actually damaging it. But since modern Windows systems have several possible boot pathways, there isn't an universal approach (f.e. a UEFI system doesn't rely on the MBR at all and just doesn't care about the active partition, if any).

If you limit your intervention to boot files, the actual system will be untouched, and you will be able to recover all its contents (and even to boot it again if you undo the damage).

Solution 3:

A few questions:

  • Is there any reason you need to go a destructive route?

If yes, go with @frupfrup's answer.

  • Does the user only have a domain logon, or do they have a local login as well?
  • How quick does this need to take effect?

Another thing you could do is cause a generic active directory login error. First disable cached logins on that machine, then disable or delete the computer account in active directory. To make it look like the computer had a fit, you could do a simple get-process | stop-process -force in a remote powershell session. Or even taskkill /im csrss.exe /f in a remote command prompt, using psexec or similar.

When it "crashes" then reboots and the user tries to log in, he should get a somewhat generic "This computer could not be authenticated against the domain" type of error, IIRC. I would test all of this on something first; The authentication problem may not take effect right away, or windows may be smart enough to prevent you from running those commands.

Solution 4:

There are a great many deal of things you can do to prevent the user from using the computer.

However, none of them will go unnoticed by the user since all of them will cause him to call the Help Desk. Whether that is making the device non-bootable, disabling his account, disabling the Computer Account in the AD or all of the above.

We have similar issues when remote users fail to comply and return a laptop which was replaced but they continue to use it (out of laziness). However, in our case it's very simple since we are not trying to do any forensics. Remote into the computer, delete the Local User's account, remove from Domain and Delete the Computer from AD. Viola the user can no longer user and we haven't totally made the laptop useless.

I honestly do not know of a way of making a computer useless to a user without them knowing and/or having them call the Help Desk to get it operational, etc.

Related

Where should AWS EC2 Key Pair be stored?
How can you distinguish between a crash and a reboot on RHEL7?
command KLogPermitNonKernelFacility is currently not permitted
How should I store my HDDs?
Server 2016 MSMQ failover
docker - no crontab for root
How get systemd status in json format?
Apache2: sites-enabled vs conf-enabled?
How can I set up Encrypted SNI on my own servers?
Can I simply buy dedicated IP addresses from any website and assign them to my server?
Free SSL VPN client
puppet hostname problem