Monday, October 18, 2010

starting off with a push

This trick is going to allow you to log in to a locked Windows machine with your own GUI, and under your own credentials, or even under the system account.  It requires a bit of a setup, but it does not require any files to be copied to the target machine.  It relies on the sysinternals tool, psexec, a Linux box running Samba with an open share, and admin credentials on the machine in question.  Psexec needs to be on both the Linux share and the host computer from which you will initiate the command.  The command I came up with is:

psexec \\TARGET_MACHINE cmd /c "pushd \\LINUX_SHARE$\ && psexec.exe /accepteula /i /x /d explorer.exe"

OK, so we use psexec against the target machine, but since we can't immediately start explorer with  /x we are going to get cmd going and then immediately use pushd to UNC to the linux box.

I'm using && as a logic gate so that if the first command fails, the second won't try and run. Once we have the target machine mapped to the Linux box, we kick off psexec with the switches /accepteula /i /x /d, starting the explorer process.  The /i switch allows us to see the results on-screen, the /x switch is the linchpin that allows us to launch the command in question on a locked PC, and the /d switch will release the shell after the command is run so we can continue to run commands.  The command will also stall out if /accepteula isn't thrown in, because the EULA would be hidden to the GUI.

A nice side-effect of using the pushd command to map to the Linux share is that it leaves you with a link to the target machine, so you can browse the share from your command-prompt as well.  Whenever you want to get back to your own PC, you can popd back.

Once you've logged into the locked computer, a couple of interesting things happens.  For one, Group Policy (if you are on a domain) does not seem to apply to the second session.  Also, the second or first session can be logged on or off without touching the other session.  Note, sometimes Windows Themes can become screwy on the first session, but a restart will fix it.

This trick can come in handy for many reasons, I like to use it as a last resort when I need to access the GUI on a locked computer; install software, or configure settings when the user is unavailable to unlock the computer.

2 comments:

  1. Here is the SMB.conf file to create an "open share" in Linux as mentioned above. This is the the entire file contents you will need for this task between the ~'s.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    [global]
    workgroup = WORKGROUP
    security = share
    guest account = nobody
    server string = HOSTNAMEOFYOURLINUXPC
    socket options = TCP_NODELAY
    read raw = yes
    write raw = yes
    oplocks = yes
    max xmit = 65535
    dead time = 15
    getwd cache = yes
    lpq = 30
    large readwrite = no

    [share$]
    comment = share
    path = /share
    read only = yes
    guest ok = yes
    public = yes
    guest only = yes
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Not all of the components make the share open, but found a lot of these tweaks useful. This is from CENTOS, but should transfer to DEBIAN based distros as well. I recall having an issue with UBUNTU where the share name exactly matched the folder name, so a dollar sign as in above, *should* take care of that. (I hope this wraps properly.)

    ReplyDelete
  2. Follow up:
    The share can be made writable by changing the "read only" in the [share$]line to:

    read only = no

    ReplyDelete