89
36
This might sound weird. My colleague and I were working on a Windows machine. He frequently shuts it down through the LAN.
He usually follows these steps:
shutdown -i.
Unfortunately, I cannot disable remote access to my computer. Is there a way to prevent this?
BlueBerry - Vignesh4303
Posted 2014-02-15T07:06:53.153
Reputation: 7 221
197
You are seeking technical solutions to a social problem and you're trying to address the symptoms instead of the underlying cause. This runs the risk of failure if he finds some other way of shutting down your machine.
Talk to your friend and remind him that you're not pals messing about at university, any more: you're professionals being paid to do a job. His behaviour is completely unacceptable in the workplace. He is deliberately stopping you from doing your job which, ultimately, is putting your job at risk. What happens when your boss calls you in to explain your poor performance? Do you accept the blame and get yourself fired? Or do you blame your friend and get him fired? Friends don't put friends in that situation.
Tell your friend that he needs to stop. Right now. Period. If he doesn't, you're going to have to talk to management.
David Richerby
Posted 2014-02-15T07:06:53.153
Reputation: 1 899
58
Since there's been some concern about the non-technical nature of this answer: We discussed a similar case a few years ago on the meta site and the consensus is: While questions need to be technical to be on topic, answers don't. They need to answer the question. Which this one does.
– Daniel Beck – 2014-02-15T19:23:29.1871Stopping one person in this manner may work, but what happens when an anonymous script kiddie happens onto this security hole? – Nick T – 2014-02-20T23:15:50.163
2@NickT If the vulnerability is accessible from outside then a technical fix on the OP's machine won't help much, either, since every other machine in the company will need the same fix. – David Richerby – 2014-02-20T23:18:28.737
+1 for recognising the difference between a technical and a business situation. – user1725145 – 2014-02-25T09:17:38.437
Yes, it seems logical that social problems are most often better dealt with social counter-actions. (In some cases, not excluding retaliation). – stefgosselin – 2014-02-27T15:38:49.223
161
Run gpedit.msc and try disabling the option as shown below. Restart your PC to see if it works:
MAKZ
Posted 2014-02-15T07:06:53.153
Reputation: 1 427
This could be avoided by psexec'ing most likely. – Yet Another User – 2015-11-14T21:20:21.247
23The right to shut down without logging on pertains to local console shutdowns. For remote shutdowns, you should go to Local Policies | User Rights Assignment | Force shutdown from a remote system. – Patrick Seymour – 2014-02-15T15:52:44.600
1@PatrickS. thanks, but for that security setting determines which users are allowed to shut down , and it's default value is Administrators . Apparantly his colleague is not an Administrator to his PC – MAKZ – 2014-02-15T15:58:34.470
13+1 Finaly a real answer. Enjoy the "Good answer" badge. – Tomas – 2014-02-16T09:40:12.637
3@MAKZ I didn't see any mention that his colleague is not an admin. Also, it is the case that the policy you mention pertains to local (console) shutdowns. Read the explanation of the policy. – Patrick Seymour – 2014-02-16T21:36:33.813
And if IT at this company has a legitimate reason to shut down the computer? After pushing a security update, for example? – Ben – 2014-02-17T00:48:32.413
@PatrickS. the explanation of the policy reads In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. – MAKZ – 2014-02-17T00:55:13.760
1@Ben if the company is an admin to his pc, then they may remote login and then perform remote shutdown. but the coleague is not likely an admin. if the colleague is an admin, he has the same authoruty to remote shutdown as the ccompany has, and he is mis-using it – MAKZ – 2014-02-17T00:57:51.100
4If the colleague weren't an admin, he wouldn't be able to shut down the machine remotely (unless the machine is badly misconfigured). The setting you've indicated is completely irrelevant. – Harry Johnston – 2014-02-17T20:16:35.333
@MAKZ Right before that, it talks about the Windows logon screen. – Patrick Seymour – 2014-02-17T20:41:44.533
When you use shutdown.exe to shut down a remote machine, the first thing it does is to use your account credentials to log into that machine. So while the explanation quoted above is absolutely correct, it isn't relevant to this situation, because the user is logged in. – Harry Johnston – 2014-02-17T22:59:04.173
@HarryJohnston but his colleague is not ! – MAKZ – 2014-02-18T03:34:39.370
If you are on Home Premium, by copying some DLL's and registering some components from the windows 7 DVD (or windows 8, if you have to) you can get gpedit. So this works for everyone. – Wyatt8740 – 2014-02-18T13:35:16.243
that requires sneaking – MAKZ – 2014-02-18T13:38:32.157
2@MAKZ: the colleague is using shutdown.exe to shut down the OPs machine. This only works because shutdown.exe uses the colleague's network credentials to log into the OPs machine. So the colleague is logged in. – Harry Johnston – 2014-02-18T19:51:19.287
46
The policy you want to change is in
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment
Locate the policy named "Force shutdown from a remote system." By default, this policy has a value of Administrators. Just edit it to be an empty list, or put your friendly trusted IT person in there instead.
A note about "Shutdown: Allow system to be shut down without having to log on"
This policy applies to local shutdowns only. That is, it controls whether someone present at the computer can shut it down without having to log on first. By default, this policy is Enabled on workstations, and you can see the shutdown button in the lower right corner of the Windows logon screen.
If you set this policy to Disabled, you will no longer see the shutdown button on the logon screen. A user would have to log on to the computer to shut it down. This is typically how servers are setup.
This policy does nothing to prevent a remote shutdown. You can try it yourself on a system that you can shutdown remotely. Set this policy to Disabled, and you will still be able to shut down that system.
A note about the Remote Registry service
Disabling the Remote Registry service does not prevent remote shutdowns. Remote Registry only affects the ability of the Shutdown Event Tracker to record the reason for the shutdown. If the reason cannot be recorded, the shutdown still occurs.
Patrick Seymour
Posted 2014-02-15T07:06:53.153
Reputation: 7 662
Note, however, that if you have administrator access, you can bypass this policy if you really want to. It just makes it a little trickier. The bottom line is that if the bad guy has admin to your machine, you've already lost. – Harry Johnston – 2014-02-17T21:27:07.740
@HarryJohnston Not disagreeing, but how is that done? I might need to prevent that in the future, if possible. Maybe I shouldn't ask in public. :) – Patrick Seymour – 2014-02-17T21:28:25.197
1Well, as an example, you could use psexec to run shutdown on the machine locally. The "deny access to this computer from the network" policy should block this class of attack, but may also prevent legitimate access as in the OPs situation. – Harry Johnston – 2014-02-17T23:02:32.923
2True. I always worry about telling people how to set policies in a corporate environment. Hate to make a fellow IT geek mad. – Patrick Seymour – 2014-02-17T23:07:20.957
18
This is a simple way to fix this problem without admin privileges.
But still.. Talk to your colleague man. I leave this with the community for any circumstances where disciplinary action is not readily available e.g internet cafe.
Put below code in a new text file. then change .txt extension to .bat
if you do not see the .txt extension go into:
If win 8.1/8, in the my documents window, click view tab and find the options button.
Shutdown abort CODE, remember to close it when shutting down.
:start
cls (clear command prompt window.. Optional)
@echo Shutting Down Cancel
shutdown -a
TIMEOUT 1
goto start
The code is not resource intensive for modern computers and won't show up in virus scanners. - caus it's not a virus =D
Pathfinder
Posted 2014-02-15T07:06:53.153
Reputation: 1 068
1it will keep a command window open.... he may accidently close it – MAKZ – 2014-02-15T12:43:52.483
17This is a bad "solution". – Nit – 2014-02-15T16:34:43.603
4Why cls if you have already @echo off? – Ruslan – 2014-02-15T18:01:26.053
it seems this a CPU killer!!!, cls in an infinite looooop :D – frogatto – 2014-02-15T20:50:33.387
@Ruslan just run the script with and without cls and see the difference – MAKZ – 2014-02-15T20:59:49.950
10@MAKZ shutdown -a > NUL is more efficient than shutdown -a with cls – frogatto – 2014-02-15T21:04:16.220
If you do it this way, you just aren't getting any better than your colleague. – Amal Murali – 2014-02-16T04:48:11.457
2Well it's here if anyone needs it =P CPU KILLER! =D – Pathfinder – 2014-02-16T07:57:30.107
2Along with this batch file, you should add a step where it checks for an existing pending shutdown initiated by said user, and initiate a shutdown on his machine with a 0 second wait and using the -f switch! – ErikE – 2014-02-19T01:04:27.547
16
You can disable this by either disabling the Remote Registry service or removing all other access to shutdown
Disable Remote Registry:
sc config "RemoteRegistry" start= disabled
Shutdown location:
C:\Windows\System32\shutdown.exe
Removing access to shutdown.exe will result in some unexpected results when doing any system tasks which involve resets ect...
As for Remote Registry:
Disabling the RemoteRegistry service will break most patch management solutions including the Software Update Service and Windows Automated Update. If you disable this service, you will have to perform patch management manually
50-3
Posted 2014-02-15T07:06:53.153
Reputation: 3 779
1Uh ... in this scenario, the other user is running the copy of shutdown.exe on their own machine, not the one on the machine being targeted. So deleting your copy really isn't going to help. – Harry Johnston – 2014-02-17T23:03:34.023
@HarryJohnston If you remove your colleague's access to shutdown it work – 50-3 – 2014-02-17T23:06:36.957
... and what's supposed to stop them from downloading another copy, or any program with similar functionality? – Harry Johnston – 2014-02-17T23:08:08.983
What's stopping you from walking over to his desk and flipping the AC/DC switch? there is no way of 100% stopping this behaviour – 50-3 – 2014-02-17T23:50:30.863
4No, but this option seems particularly ineffective to me. And if you consider the big picture, messing with the other guys computer probably isn't a good idea, as it's only going to escalate things, and it makes you look bad if and when management get involved. – Harry Johnston – 2014-02-18T00:01:27.803
I agree this is ineffective as technical solutions to social problems rarely work that well. – 50-3 – 2014-02-18T00:12:08.207
12
From TechNet:
In order to use this feature, the Remote Registry service must be enabled on the remote computer. See Enable the Remote Registry Service for more information.
Access to the Remote Registry or membership in the Administrators group on the remote computer is the minimum required to complete this procedure.
cobbbob
Posted 2014-02-15T07:06:53.153
Reputation: 121
11
You could add the following into a file, say, C:\kill-shutdown.ps1, then put the file into the group policy: Local Computer Policy>Computer Configuration>Windows>Settings>Scripts (Startup/Shutdown)>Shutdown
if ((test-path C:\allow-shutdown.txt) -ne $True) { shutdown -a }
Then, if C:\allow-shutdown.txt doesn't exist, it will abort ALL shutdowns.
Yet Another User
Posted 2014-02-15T07:06:53.153
Reputation: 249
2Probably more efficient than the looping batch file. Sadly needs admin privileges – Yet Another User – 2014-02-16T20:48:10.023
10
Remove him from the ipc$ share of your computer:
RedBug
Posted 2014-02-15T07:06:53.153
Reputation: 523
148Perhaps you could ask him to stop shutting down your computer remotely as well? It's a waste of company time and resources. – Thomas – 2014-02-15T07:42:17.660
16We made a game of this in Uni trying to remote shutdown each other's PC. We all got very good at going Win+r 'shutdown -a' – 50-3 – 2014-02-15T07:43:41.710
20With great power comes great responsibility. – Chris – 2014-02-15T09:57:43.677
1Adjust your Windows Firewall settings to prevent this – Ramhound – 2014-02-15T11:18:19.540
1Is he the network admin? Do you have local admin rights? You say "were" so the situation is no more there? – Bleeding Fingers – 2014-02-15T19:22:27.417
5@Thomas see your point, but isn't it worrying example of stupidity of default Win 7 setup? Anyone can shutdown your machine by default?? Is Microsoft for real? – Tomas – 2014-02-16T09:33:43.233
21You could either ask him to stop, kindly, or less kindly, ask your superior to make him stop, or plug your/his machine off the network. Just, don't break his arms. It's not considered "acceptable retaliation". – Kheldar – 2014-02-16T23:21:04.843
23It's unfortunate that the highest-voted answer, although confirmed by several mods as being on-topic, is now locked and cannot be upvoted; while the technical solution, which many of us obviously believe to be missing the point, is still open for voting. Just saying. – alexis – 2014-02-17T12:07:21.277
3i am little confused which answer to accept,technically makz answer solves the problem,but david 's answer solves the issue,which to accept :( – BlueBerry - Vignesh4303 – 2014-02-17T12:09:59.153
4@BlueBerry, I recommend you accept the one that, in your opinion, gives you the most useful advice. The problem you described has a social aspect, so you're not constrained to "accept" a technical solution. It's your choice. (I think my own preference is clear ;-)) – alexis – 2014-02-17T16:31:51.933
@Tomas: no, by default you need Administrator privilege to remotely shutdown a computer. Odds are the colleague does indeed have admin privilege, though it's also possible that the machine is configured improperly. – Harry Johnston – 2014-02-17T20:13:53.103
@HarryJohnston "by default you need Administrator privilege to remotely shutdown a computer." - you mean Administrator privilege on his own machine, not the remote one? That can be anyone! Just bringing his laptop and connecting to the LAN. This is definitely not a safe. – Tomas – 2014-02-17T21:12:46.020
2Harry is correct. By default, you need administrator rights on the remote machine, the one being shut down. Some machines are misconfigured, like Harry said, or some companies put everyone in the local admins group. Higher education is notorious for things like this. – Patrick Seymour – 2014-02-17T21:16:52.193
2@Tomas: no, you need to be an administrator on the machine you're trying to shut down. I'd have thought that was obvious! – Harry Johnston – 2014-02-17T21:24:35.727
@all is it possible that the colleague sneaked into his pc and created a admin ccount and hid it? – MAKZ – 2014-02-18T03:03:01.337
4@MAKZ colleague is not network admin and we both are just domain users – BlueBerry - Vignesh4303 – 2014-02-18T05:38:12.800
@alexis The answer had to be locked to prevent the comments from escalating. It's now unlocked again and we're watching it. – slhck – 2014-02-18T12:11:26.503
1Collect the evidence( logs ), and present them to superiors/human department? If they are not completely incompetent the problem will be resolved. – this – 2014-02-18T13:41:32.017
4@BlueBerry-vignesh4303: if your colleague does not have admin credentials on your machine, then there's something wrong with the machine. Non-admin users are not supposed to be able to shut down machines remotely. Get your IT support staff to investigate. – Harry Johnston – 2014-02-18T19:54:03.750
What does
net localgroup Administrators(run from the command line) show? – Harry Johnston – 2014-02-18T20:42:44.643@BlueBerry-vignesh4303 - Why does he do that ? Anyway, thanks for the question. This could be a good prank though. – Steam – 2014-02-18T22:50:57.200
2Have you considered blackmail? – ErikE – 2014-02-19T01:05:54.493
1So there's a guy who uses pranks to form relationships with his coworkers. You can either shut him down, or play pranks on him. Have you tried pranking him back? Easy method would be to buy a wireless keyboard and mouse, and put the tiny dongle into his machine. Whenever he shuts down your computer, shut his down, or put a brick on the space bar until your computer comes back up, or send an email, or start his browser and load an annoyingly loud website, or, or, or. Once he removes the dongle, hide a noisemaker around his cube, etc, etc. harmless pranks don't have to be a bad thing. – Adam Davis – 2014-02-19T15:45:23.817
1I'd punch him in the face. – Big McLargeHuge – 2014-02-21T06:18:23.490
1
See if this article might help you
– Mr. Alien – 2014-02-23T19:12:46.330