5
The question is about the shutdown
command with /m \\MACHINE
switch, which can be used to shut down (reboot, sleep etc.) a Windows machine remotely. In my case I'm dealing with a local home network between Windows 7 and Windows 8 machines. Homegroup is disabled on all machines and networking is managed the "traditional" way by creating user accounts with passwords on all machines.
I read somewhere that in order to execute that command remotely the issuing account should also be registered on the remote recipient machine as a member of Administrators
group. To test this behavior of shutdown
command I set up two user accounts named Test
and Mike
on the local (issuing) Windows 7 Pro machine. Both accounts belonged to regular Users
group.
I also went to the remote (recipient) Windows 8 Pro machine called FILES
and created just one account there named Mike
as a member of Users
group.
Now, I logged in as Test
into my local machine and issued a
shutdown /m \\FILES /r /f /t 0
command from the command prompt. I immediately received an "Access denied" response. This was expected behavior. So far so good.
Then I logged in as Mike
into my local machine and issued the same command. To my surprise, the remote machine immediately went into reboot. What gives?
I went to the remote machine and opened its Local Security Policy settings. In its User Policies
group I found such policies as
Force shutdown from a remote system = Administrators
Shut down the system = Administrators, Users
I removed Users
from the latter policy, leaving only Administrators
there.
I rebooted the remote machine, again logged in as Mike
into my local machine and issued the same command. The remote machine again compliantly went into reboot.
The amusing detail here is that when Mike
is logged into FILES
machine locally, he cannot reboot it, since Shut down the system
policy is set to Administrators
, while Mike
is a mere User
. But the same Mike
can successfully reboot FILES
remotely.
So, what's going on here? How come I am able to reboot the remote machine using a User
level account? Moreover, the aptly named policy Force shutdown from a remote system
set to Administrators
seems to suggest that regular User
accounts should not be able to do it. Yet it reboots.
What am I missing here? What lets that remote reboot command slip through? What should I block and where to prevent Mike
from being able to reboot FILES
machine remotely?
A further investigation shows the following entries in the Event Log of FILES
The process wininit.exe (192.168.1.2) has initiated the restart of computer FILES
on behalf of user FILES\Administrator for the following reason: No title for this
reason could be found
Reason Code: 0x800000ff
Shutdown Type: restart
Comment:
Such entries correspond to each remote reboot command received by FILES
. 192.168.1.2
in this case is the IP address of the machine that issued the shutdown
command. So, as @misha256 correctly suggested, the command is actually executed on the remote machine as if it was issued by Administrator
. This is why the current policies don't block it.
Now the question is where it managed to elevate from Mike
to Administrator
: on the local machine or on the remote machine? And, of course, how and why it happened...
try the command gpudate /force – Richie Frame – 2015-02-27T06:01:17.837
@Richie Frame: Just tried it. Doesn't change anything. Rebooting the remote machine should have updated the policy anyway... – AnT – 2015-02-27T06:18:02.590