Friday, 31 December 2010

Backdoor ways to reboot a Windows server

When you need to reboot a Windows server, you’ll occasionally encounter obstacles to making that happen. For instance, if remote desktop services aren’t working, how can you reboot the server? Here is a list of tricks I’ve collected over the years for rebooting or shutting down a system when I can’t simply go to the Start Menu in Windows.



  • The shutdown.exe command: This gem will send a remote (or local) shutdown command to a system. Entering shutdown /r /m \\servername /f /t 10 will send a remote reboot to a system. Shutdown.exe is current on all modern Windows systems; in older versions, it was located on the Resource Kit. For more details, read this Microsoft KB article on the shutdown.exe command.


  • PowerShell Restart-Computer: The equivalent of the command above in PowerShell is:

    Start-Sleep 10

    Restart-Computer -Force -ComputerName SERVERNAME

  • Hardware management device: If a device such as an HP iLO or Dell DRAC is in use, there is a virtual power button and remote screen console tool to show the system’s state regardless of the state of the operating system. If these devices are not configured with new servers, it’s a good idea to have them configured in case the mechanisms within the operating system are not available.

  • Virtual machine power button: If the system in question is a virtual machine, all hypervisors have a virtual power button to reset the system. In VMware vSphere, be sure to select the option to Shut Down The Guest Operating System instead of the Power Off; this will make the call to VMware Tools to make it a clean shutdown. If that fails, the Power Off button will be the next logical step.


  • Console walkthrough: In the situation where the server administrator does not have physical access to the system, walking someone through the process may be effective. For security reasons, basically a single user (domain or locally) can be created with the sole permission of rebooting the server. That person could log on as this temporary user, and then it is immediately destroyed after the local shutdown command is issued. Further, that temporary user could be created with a profile to run the reboot script on their logon to not have any interaction by the person assisting the server administrator.

  • Configure a scheduled task through Group Policy: If you can’t access the system in any other mainstream way — perhaps the Windows Firewall is turned on and you can’t get in to turn it off — set a GPO to reconfigure the firewall state and slip in a reboot command in the form of the shutdown.exe command executing locally (removing the /m parameter from above). The hard part will be getting the GPO to deploy quickly.

  • Enterprise system management packages: Packages such as Symantec’s Altiris and Microsoft System Center agents communicate to the management server and can receive a command to reboot the server.


  • Pull the plug: This is definitely not an ideal approach, but it is effective. For physical servers, if a managed power strip with port control is available, a single system can have its power removed and restored.


What other backdoor ways have you used to reboot a Windows server? Share your comments in the discussion.




Ref: http://blogs.techrepublic.com.com/datacenter/?p=3562&tag=nl.e071

Thursday, 9 December 2010

10 Sysinternals tools you shouldn't be without

Sysinternals has been around for quite some time and was acquired by Microsoft in 2006. These are great little tools for getting some heavy-hitting Windows things done and sometimes done better than when using the built-in tools for a task. The entire suite of products is available for download. While this is the easiest way to get the tools because they are bundled together, there are some tools that I find myself using far more than others. Here’s a look at my favorite tools in the Sysinternals collection (or the ones that I use the most).


Note: This article is also available as a TechRepublic photo gallery.



1: PsList and PsKill


I listed these together because I typically use them in this order. The goal here is to see processes on a machine — with PsList, I find the process ID, and then use PsKill to terminate the process.


There are quite a few ways to return information with PsList, and the best part is that it works on local and remote machines. PsKill works similarly to PsList except it is used to terminate processes by process ID.


2: Process Explorer


Process Explorer is a great tool for digging into open files or resources. Trying to open a file, but getting a notification that it’s already open? Process Explorer can help determine which application or process has the file open. It is a GUI-based utility and can be used as a Task Manager replacement. The utility has two panes of information. The top pane shows currently active processes on your system and includes information about the name, the account that owns the process, and the CPU usage of the process.


The bottom pane has two modes of operation, handle mode and DLL mode. When handle mode is enabled, selecting a process in the top portion of the window will show you the handles that the process has open. In DLL mode, the pane displays the DLLs and memory-mapped files loaded by the selected process.



3: ZoomIt


ZoomIt is a utility for the public speaker in all of us. When presenting information, sometimes it is helpful to show a certain area of the screen, magnified to call attention to a dialog box or other item. This is what ZoomIt does. When configured, it will integrate with PowerPoint to allow macro keys to trigger functions during a presentation.


4: PsLoggedOn


PsLoggedOn uses a registry scan to look through the HKEY_USERS key to see which profiles are loaded. Looking at the keys with a user ID SID, PsLoggedOn looks up the username of the SID and displays it. This shows you who is logged on in any session to a PC. When querying remote systems, your userid will be found as a connected user session as well. The remote and local users are returned separately to help distinguish logon types.


5: Autoruns


You know how malware likes to invade the startup folder and other locations on infected systems? Seems that these are the hardest things to find and get rid of when trying to clean up spyware/malware/ infections. Autoruns can help with that. It looks through all possible locations where applications can be listed to automatically launch when Windows starts. Then, it displays them in a tabbed, easy-to-follow GUI. You can hide Microsoft-signed entries to eliminate the good items from the list of things that start up on your system.


6: Contig


Some files have trouble with disk defragmenting applications and for one reason or another, can’t be corrected. This is where you might use Contig. It is a single file defrag utility, which can be helpful if you use a file often and suspect it might be suffering from performance issues due to fragmentation.



7: Disk2vhd


Disk2vhd creates a virtual hard disk file from a physical system for use with Hyper-V or even with Windows 7 or Server 2008 R2. Disk2vhd supports Windows XP SP2 and Windows Server 2003 SP1 and higher, including 64-bit versions of these systems.


A great use of this utility might be to create a snapshot of an entire disk for backup purposes. There are also options that allow Disk2vhd to be run at the command line. You can use these options to script vhd creation. Using the utility in this way would allow you to use Task Scheduler and Disk2vhd to create a snapshot of your PC at scheduled intervals with no user intervention. One caveat: When creating vhds, be sure not to attach them to the same system you created them from if you are going to boot from the vhd.


8: MoveFile


As we all know, there are times when files need to be moved or deleted to help get things cleaned off a PC (malware/bots/viruses). Sometimes, this can’t be done because files are in use, which prevents actions on the files until they are closed or the computer is rebooted. MoveFile provides an API that marks files for move/rename/delete at the next restart of the Windows system. Doing this allows the file to be acted on before it is referenced by the system.


9: PSFile



The PStools utilities are all popular and useful, but one that I recently discovered is PSFile. This utility shows files on a system that are open by remote systems by default but that can be passed parameters to return information about remote systems as well. This tool is a good way to check for open files on file servers when users might report read-only issues or have problems getting files to open properly.


10: Sync


This utility was created to mirror a UNIX utility that will allow you to flush cached file system data to disk. Doing this can help prevent problems with lost system information in the event of a system failure and helps to ensure live system information is getting written to disk.


The way I see this being useful depends on how stable your system is. If your computer tends to crash more than you would like (or if you are testing some scenarios), you might create a scheduled task to ensure that the system info is flushed back to disk once per hour or some other predefined timeframe. Another cool thing about this sync utility is that USB or ZIP drives or other removable drives can be flushed. You will need administrative privileges to use Sync.

Sunday, 5 December 2010

Install Firesheep on Ubuntu 10.04 or 10.10

This morning I had a little bit of free time so I thought I’d (finally) check out the Firefox extension Firesheep. The main website mentions that it isn’t supported for Linux, but the source code is available and as it turns out very easy to compile. Below are instructions for downloading, compiling and installing the Firesheep security plugin for Firefox.

Get the Source

You’ll need to download the source code from github, which can be done using the following two commands:

git clone https://github.com/codebutler/firesheep.git
cd firesheep
git submodule update --init


These two commands will download the code required to compile Firesheep, putting the source into a new directory called “firesheep”.

Build Tools

To compile Firesheep on Ubuntu 10.04 or 10.10 you’ll need the following development packages installed. Simply copy-paste the following list of packages into your terminal:

sudo apt-get install autoconf libtool libpcap-dev libboost-all-dev libhal-dev xulrunner-1.9.2-dev

On my machine this installed quite a few packages, and while the main Firesheep website lists 10.10 specifically, I had no problems on my 10.04 installation.

Build Firesheep

You’re now ready to compile Firesheep. Run the following command and hopefully you’ll be able to build it without error:

./autogen.sh && make


Install the Plugin

If all is well you should find a new file called ‘firesheep.xpi’ in a subdirectory called build (ie; firesheep/build/). Simply drag-and-drop that file into your Addons dialog box, restart Firefox and you should be set.

I’ve been having some issues in actually capturing data on my Dell D630 with an Intel Pro/Wireless 3945ABG card. It looks like this tool is often hardware specific, so your mileage may vary. I’d be interested in anyone offering suggestions on getting it to capture properly on OS X 10.6 (macbook) or Ubuntu 10.04+.