What does 'control userpasswords2' do and why?
1,055 views
Skip to first unread message
Ken Dibble
Mar 1, 2022, 2:40:35 PM3/1/22
to ntsys...@googlegroups.com
Here's a weird one.
One of our employees was forced to allow the police to access one of
our laptops.
Laptop was full-disk encrypted with VeraCrypt, meaning she had to
provide a password to allow the HDD to spin up, and then apply a
different set of creds to log into Windows 7.
I had her bring the machine in for inspection. I noticed in the local
admin account's Run dialog that someone had attempted to execute the
following command:
control userpasswords2
A Google search on this produces confusing results (at least for me).
Allegedly it would be similar to trying to use "Run as
administrator"? That is, it should pop up a dialog requesting other
credentials?
Any further thoughts?
Thanks.
Ken Dibble
www.stic-cil.org
One of our employees was forced to allow the police to access one of
our laptops.
Laptop was full-disk encrypted with VeraCrypt, meaning she had to
provide a password to allow the HDD to spin up, and then apply a
different set of creds to log into Windows 7.
I had her bring the machine in for inspection. I noticed in the local
admin account's Run dialog that someone had attempted to execute the
following command:
control userpasswords2
A Google search on this produces confusing results (at least for me).
Allegedly it would be similar to trying to use "Run as
administrator"? That is, it should pop up a dialog requesting other
credentials?
Any further thoughts?
Thanks.
Ken Dibble
www.stic-cil.org
Tony Burrows
Mar 1, 2022, 2:51:27 PM3/1/22
to ntsys...@googlegroups.com
It is a way of managing local accounts/profiles regardless of Windows version and is commonly used on home versions since they do not have the Local Users and Groups snapin as part of the compmgmt.msc.
Regards,
Tony
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e76b2.1c69fb81.ba091.2961SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Poppy Lochridge
Mar 1, 2022, 2:52:21 PM3/1/22
to ntsys...@googlegroups.com
It opens the local users applet.
--P
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.stic-cil.org%2F&data=04%7C01%7Cpoppy%40netcorps.org%7C1b031d639d0646c88f0108d9fbbbcff4%7Cf94f3b8d64934aa2ac052adcbb419447%7C0%7C0%7C637817606352512835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2ByvNPKyoxBP7GjF9fCsQZnVbICA0lxFt6CeRckYlzSU%3D&reserved=0
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fntsysadmin%2F621e76b2.1c69fb81.ba091.2961SMTPIN_ADDED_MISSING%2540gmr-mx.google.com&data=04%7C01%7Cpoppy%40netcorps.org%7C1b031d639d0646c88f0108d9fbbbcff4%7Cf94f3b8d64934aa2ac052adcbb419447%7C0%7C0%7C637817606352512835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Hw5Fuf0lCTLCXb4SneSCtkcyZEgCLOcKs6zR9LLQSQA%3D&reserved=0.
--P
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
Erik Goldoff
Mar 1, 2022, 3:16:31 PM3/1/22
to ntsys...@googlegroups.com
this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configuration of the system. Now I'm curious as to "forced to allow..."
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e76b2.1c69fb81.ba091.2961SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Erik Goldoff
Mar 1, 2022, 3:19:49 PM3/1/22
to ntsys...@googlegroups.com
Maybe I spoke too soon. Has that bypass function been deprecated in the latest Windows 10 releases ?
Ken Dibble
Mar 1, 2022, 3:31:36 PM3/1/22
to ntsys...@googlegroups.com
This is Windows 7 Pro.
As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
Thanks.
Ken Dibble
www.stic-cil.org
At 03:15 PM 3/1/2022, you wrote:
As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
Thanks.
Ken Dibble
www.stic-cil.org
At 03:15 PM 3/1/2022, you wrote:
this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configuration of the system. Now I'm curious as to "forced to allow..."
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGMVfXR%2BQumT3idoRTC5dqd%2B_BVAXFw7Q5P8ry1FP_7JMHTx1g%40mail.gmail.com .
Philip Elder
Mar 1, 2022, 4:04:04 PM3/1/22
to ntsys...@googlegroups.com
If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
Did they change the admin password?
If not, then wow … it’s gotta be a doosey!
Physical possession …
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Ken Dibble
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e82a6.1c69fb81.95366.8a57SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Ken Dibble
Mar 1, 2022, 4:57:54 PM3/1/22
to ntsys...@googlegroups.com
Yes, the machine will not boot from ANY location until the VeraCrypt
password is entered.
As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
The police then took the machine into another room "for about five minutes", and then returned it to her.
The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
MalwareBytes and Avast Business Pro scans did not find anything remarkable.
It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
Thanks for any further thoughts. It sure is a doosey.
Ken
As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
The police then took the machine into another room "for about five minutes", and then returned it to her.
The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
MalwareBytes and Avast Business Pro scans did not find anything remarkable.
It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
Thanks for any further thoughts. It sure is a doosey.
Ken
At 04:03 PM 3/1/2022, you wrote:
If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
Did they change the admin password?
If not, then wow … it’s gotta be a ddoosey!
Physical possession …
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Tuesday, March 1, 2022 13:32
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
This is Windows 7 Pro.
As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
Thanks.
Ken Dibble
www.stic-cil.org
At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configuration of the system. Now I'm curious as to "forced to allow..."
Michael B. Smith
Mar 1, 2022, 5:08:02 PM3/1/22
to ntsys...@googlegroups.com
Sounds like a rootkit. Smells like a rootkit.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e96e0.1c69fb81.d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
ODONNELL Aaron M
Mar 1, 2022, 5:13:13 PM3/1/22
to ntsys...@googlegroups.com
If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
Thanks,
Aaron O’Donnell
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Tuesday, March 1, 2022 2:07 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
|
This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond. |
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com.
Nathan Shelby
Mar 1, 2022, 5:16:16 PM3/1/22
to ntsys...@googlegroups.com
Agreed,
Hopefully this hasn't been connected back to your network and has been entirely air gapped...
Nothing should be preserved from the laptop other than a forensic image given to your legal department. Consider everything on the unit compromised.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB842365119542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.com.
Kurt Buff
Mar 1, 2022, 5:22:35 PM3/1/22
to ntsys...@googlegroups.com
Concur. This should be in the toolbox, even though it's dated:
More of this kind of tool found here:
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com.
Art DeKneef
Mar 1, 2022, 5:26:37 PM3/1/22
to ntsys...@googlegroups.com
Curious what forced means.
It’s been a while since I had to know these things but a couple of things come to mind. Did they have a search warrant for the laptop? If not, the employee could have said no, go see legal. And a point of contention here is did they ask to look at the laptop. Normally, the owner of the laptop can give permission. But was the employee the owner or was it a company laptop? Some like this is for the lawyers.
If the police needed it for forensic evidence they would have took the laptop. I would wipe the drive and start clean.
Art DeKneef
Avanti Computers
Mesa, AZ
480-529-4430 Mobile
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAOvZKrNw86vNktKykSOYWEWBrLHgoFaanN5FLg%2BbtuHJJce_Sw%40mail.gmail.com.
Erik Goldoff
Mar 1, 2022, 5:33:52 PM3/1/22
to ntsys...@googlegroups.com
yes, ALL of these concerns. Very suspicious indeed.
(did any of the police speak with a Russian accent? ;) )
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BYAPR04MB4968FC4B25BF1CE549C013CAF4029%40BYAPR04MB4968.namprd04.prod.outlook.com.
Philip Elder
Mar 1, 2022, 6:07:32 PM3/1/22
to ntsys...@googlegroups.com
I’d dispose of the SSD using a slug from one of our 12Ga shotguns. It wouldn’t even go into recycling.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB842365119542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.com.
Shawn K. Hall
Mar 1, 2022, 6:14:31 PM3/1/22
to ntsys...@googlegroups.com
+1
> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
> <https://groups.google.com/d/msgid/ntsysadmin/621e96e0.1c69fb8
> 1.d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com?utm_mediu
m=email&utm_source=footer> .
> 6fb430259392d00%40smithcons.com
> <https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c
> 86fb430259392d00%40smithcons.com?utm_medium=email&utm_source=footer> .
> 9542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB8423651
> 19542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
> 1.d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com?utm_mediu
m=email&utm_source=footer> .
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c8
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> 6fb430259392d00%40smithcons.com
> <https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c
> 86fb430259392d00%40smithcons.com?utm_medium=email&utm_source=footer> .
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB84236511
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> 9542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB8423651
> 19542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
>
Philip Elder
Mar 1, 2022, 6:16:51 PM3/1/22
to ntsys...@googlegroups.com
Side streams? I don't remember what they are called but I think that's where the RootKit Revealer would come in.
One has to wonder if something was done at the hardware level too?
I'd be re-flashing the firmware on the device and resetting the TPM too before re-installing the OS/Image on a fresh SSD.
That's some real spooky stuff there.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
Blog: blog.mpecsinc.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/564B1B8C0C404E229896F9DEB6DCEE11%40Firefly.
One has to wonder if something was done at the hardware level too?
I'd be re-flashing the firmware on the device and resetting the TPM too before re-installing the OS/Image on a fresh SSD.
That's some real spooky stuff there.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
Shawn K. Hall
Mar 1, 2022, 6:47:25 PM3/1/22
to ntsys...@googlegroups.com
They don't need a search warrant to access a machine near ports and borders, or at international airports within the USA. BCP can, and does, demand access to various hardware crossing the borders to ensure that it isn't being use to transfer "dangerous" materials across the border (as if the Internet couldn't do that).
https://www.eff.org/issues/know-your-rights#5
Usually they'll take the device in another room and image the drive. If it's a conventional drive it's extremely unlikely they could do that in 5 minutes, but they could still harvest various information from the computer, such as stored credentials, browsing history and so on, and these would not require admin rights.
-S
> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
> kSOYWEWBrLHgoFaanN5FLg%2BbtuHJJce_Sw%40mail.gmail.com
> <https://groups.google.com/d/msgid/ntsysadmin/CAOvZKrNw86vNktK
> ykSOYWEWBrLHgoFaanN5FLg%2BbtuHJJce_Sw%40mail.gmail.com?utm_med
ium=email&utm_source=footer> .
> 25BF1CE549C013CAF4029%40BYAPR04MB4968.namprd04.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/BYAPR04MB4968FC4
> B25BF1CE549C013CAF4029%40BYAPR04MB4968.namprd04.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
>
https://www.eff.org/issues/know-your-rights#5
Usually they'll take the device in another room and image the drive. If it's a conventional drive it's extremely unlikely they could do that in 5 minutes, but they could still harvest various information from the computer, such as stored credentials, browsing history and so on, and these would not require admin rights.
-S
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
> Twitter: Twitter.com/MPECSInc
>
> Skype: MPECSInc.
>
>
>
> Please note: Although we may sometimes respond
> to email, text and phone calls instantly at all hours of the
> day, our regular business hours are 8:00 AM - 5:00 PM, Monday
> thru Friday.
>
>
>
> From: ntsys...@googlegroups.com
> <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
> Sent: Tuesday, March 1, 2022 13:32
> To: ntsys...@googlegroups.com
> Subject: Re: [ntsysadmin] What does 'control
> userpasswords2' do and why?
>
>
>
> This is Windows 7 Pro.
>
> As described, a person would first have to
> supply a separate password to VeraCrypt, before the OS could
> even boot.
>
> The command was leftover in the "Run..." dialog
> dropdown in the local admin account. How could anybody access
> that dialog without first logging into the account? How could
> anybody run that command without having access to that dialog?
>
> Thanks.
>
> Ken Dibble
> www.stic-cil.org
>
>
> <http://www.stic-cil.org/> At 03:15 PM
>
> Skype: MPECSInc.
>
>
>
> Please note: Although we may sometimes respond
> to email, text and phone calls instantly at all hours of the
> day, our regular business hours are 8:00 AM - 5:00 PM, Monday
> thru Friday.
>
>
>
> From: ntsys...@googlegroups.com
> <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
> Sent: Tuesday, March 1, 2022 13:32
> To: ntsys...@googlegroups.com
> Subject: Re: [ntsysadmin] What does 'control
> userpasswords2' do and why?
>
>
>
> This is Windows 7 Pro.
>
> As described, a person would first have to
> supply a separate password to VeraCrypt, before the OS could
> even boot.
>
> The command was leftover in the "Run..." dialog
> dropdown in the local admin account. How could anybody access
> that dialog without first logging into the account? How could
> anybody run that command without having access to that dialog?
>
> Thanks.
>
> Ken Dibble
> www.stic-cil.org
>
>
> https://groups.google.com/d/msgid/ntsysadmin/621e96e0.1c69fb81
> .d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com
> <https://groups.google.com/d/msgid/ntsysadmin/621e96e0.1c69fb8
> 1.d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com?utm_mediu
m=email&utm_source=footer> .
>
> .d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com
> <https://groups.google.com/d/msgid/ntsysadmin/621e96e0.1c69fb8
> 1.d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com?utm_mediu
m=email&utm_source=footer> .
>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c8
> 6fb430259392d00%40smithcons.com
> <https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c
> 86fb430259392d00%40smithcons.com?utm_medium=email&utm_source=footer> .
>
> 6fb430259392d00%40smithcons.com
> <https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c
> 86fb430259392d00%40smithcons.com?utm_medium=email&utm_source=footer> .
>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB84236511
> 9542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB8423651
> 19542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
> 9542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB8423651
> 19542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/CAOvZKrNw86vNktKy
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> kSOYWEWBrLHgoFaanN5FLg%2BbtuHJJce_Sw%40mail.gmail.com
> <https://groups.google.com/d/msgid/ntsysadmin/CAOvZKrNw86vNktK
> ykSOYWEWBrLHgoFaanN5FLg%2BbtuHJJce_Sw%40mail.gmail.com?utm_med
ium=email&utm_source=footer> .
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/BYAPR04MB4968FC4B
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> 25BF1CE549C013CAF4029%40BYAPR04MB4968.namprd04.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/BYAPR04MB4968FC4
> B25BF1CE549C013CAF4029%40BYAPR04MB4968.namprd04.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
>
Markus Klocker
Mar 2, 2022, 5:58:33 AM3/2/22
to ntsys...@googlegroups.com
Just a reminder that there is also stuff out there known to reside
in firmware.
I wouldn't want such a device knowingly near my net ever.
Markus
I wouldn't want such a device knowingly near my net ever.
Markus
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5NBN4n_ykXNeMLQ26XydZCc16bJkvotmdhaQuw82OOLw%40mail.gmail.com.
Ken Dibble
Mar 2, 2022, 10:01:59 AM3/2/22
to ntsys...@googlegroups.com
"Forced" was my word. I got additional information later. The
user waited 6 days to report this, so if they had time to get a backdoor
onto it then they had time to look at it at their leisure--although brief
initial inspection suggests that the user hadn't altered any files on the
device since February 18, so it may not have been turned on for very
long--though it was running on Feb 28 at the time I remotely shut it
down. Not definitive; I haven't looked at the logs, I've been spending
all my time trying to get it into a usable state.
I don't know if they presented a warrant. They were looking for stuff related to a relative of hers who lives with her. They took his equipment and as far as I know have not returned it. They also allegedly told her that they came to investigate because her "router was sending out weird signals". Who knows if they were actually monitoring her router or if they just lied to her. Police are notorious liars.
We should consider addressing warrantless searches during our post-mortem, though I would imagine the only thing we can tell people is, "Ask for a warrant. If they don't have one and they insist on getting into the machine, let them."
Thanks.
Ken Dibble
www.stic-cil.org
I don't know if they presented a warrant. They were looking for stuff related to a relative of hers who lives with her. They took his equipment and as far as I know have not returned it. They also allegedly told her that they came to investigate because her "router was sending out weird signals". Who knows if they were actually monitoring her router or if they just lied to her. Police are notorious liars.
We should consider addressing warrantless searches during our post-mortem, though I would imagine the only thing we can tell people is, "Ask for a warrant. If they don't have one and they insist on getting into the machine, let them."
Thanks.
Ken Dibble
www.stic-cil.org
At 05:26 PM 3/1/2022, Art DeKneef wrote:
Curious what forced means.
It’s been a while since I had to know these things but a couple of things come to mind. Did they have a search warrant for the laptop? If not, the employee could have said no, go see legal. And a point of contention here is did they ask to look at the laptop. Normally, the owner of the laptop can give permission. But was the employee the owner or was it a company laptop? Some like this is for the lawyers.
If the police needed it for forensic evidence they would have took the laptop. I would wipe the drive and start clean.
Art DeKneef
Avanti Computers
Mesa, AZ
480-529-4430 Mobile
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Nathan Shelby
Sent: Tuesday, March 1, 2022 3:16 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
Agreed,
Hopefully this hasn't been connected back to your network and has been entirely air gapped...
Nothing should be preserved from the laptop other than a forensic image given to your legal department. Consider everything on the unit compromised.
Nathan Shelby
ntsh...@gmail.com
On Tue, Mar 1, 2022 at 2:13 PM ODONNELL Aaron M < Aaron.M....@odot.oregon.gov> wrote:
- If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
- Thanks,
- Aaron O’Donnell
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
- Sent: Tuesday, March 1, 2022 2:07 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond.
- Sounds like a rootkit. Smells like a rootkit.
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Did they change the admin password?
- If not, then wow … it’s gotta be a ddoosey! sey!
- Physical possession …
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forced to allow..."
Ken Dibble
Mar 2, 2022, 10:10:18 AM3/2/22
to ntsys...@googlegroups.com
At 05:16 PM 3/1/2022, Nathan Shelby wrote:
Agreed,
Hopefully this hasn't been connected back to your network and has been entirely air gapped...
Too late... I did connect it so I could update the scanning software
before running it. I don't know what the alternative to that would be,
since most of this software insists on downloading updates before
running.
But I haven't logged on with any domain creds, only local admin. I probably should have let it use only the guest wireless network instead of connecting by LAN cable; that only serves an internet connection--though even that would make it accessible to the police if they installed an agent on it. But it's a good point to add to my procedures for the future, though since we have a lot of desktop machines it's only applicable in some situations.
But I haven't logged on with any domain creds, only local admin. I probably should have let it use only the guest wireless network instead of connecting by LAN cable; that only serves an internet connection--though even that would make it accessible to the police if they installed an agent on it. But it's a good point to add to my procedures for the future, though since we have a lot of desktop machines it's only applicable in some situations.
Nothing should be preserved from the laptop other than a forensic image given to your legal department. Consider everything on the unit compromised.
Nathan Shelby
ntsh...@gmail.com
On Tue, Mar 1, 2022 at 2:13 PM ODONNELL Aaron M < Aaron.M....@odot.oregon.gov> wrote:
- If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
- Â
- Â
- Â
- Thanks,
- Â
- Aaron O’Donnell
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
- Sent: Tuesday, March 1, 2022 2:07 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond.
- Sounds like a rootkit. Smells like a rootkit.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Â
- Did they change the admin password?
- Â
- If not, then wow … it’s gotta be a ddoosey! sey!
- Â
- Physical possession …
- Â
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Â
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forrced to allow..."
Ken Dibble
Mar 2, 2022, 10:15:54 AM3/2/22
to ntsys...@googlegroups.com
I wish it had an SSD. This is a 9-year-old ASUS K55N with a mechanical
hard drive and an AMD A8 4500M APU CPU. Possibly this has led to some
confusion. It never was super-fast, but it never was this slow either.
After letting it defrag over night it seems a bit faster, but I keep
getting "Windows has detected that your performance is slow"
toasts, and it keeps turning of the Aero display.
At 06:07 PM 3/1/2022, you wrote:
At 06:07 PM 3/1/2022, you wrote:
I’d dispose of the SSD using a slug from one of our 12Ga shotguns. It wouldn’t even go into recycling.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of ODONNELL Aaron M
Sent: Tuesday, March 1, 2022 15:13
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
Thanks,
Aaron O’Donnell
From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Tuesday, March 1, 2022 2:07 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond.
Sounds like a rootkit. Smells like a rootkit.
From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Tuesday, March 1, 2022 4:58 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
The police then took the machine into another room "for about five minutes", and then returned it to her.
The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
MalwareBytes and Avast Business Pro scans did not find anything remarkable.
It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
Thanks for any further thoughts. It sure is a doosey.
Ken
At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Did they change the admin password?
- If not, then wow … it’s gotta be a ddoosey! sey!
- Physical possession …
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forced to allow..."
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB842365119542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/768e885700954c8696d8c07e92572e08%40MPECSInc.Ca .
Ken Dibble
Mar 2, 2022, 11:00:14 AM3/2/22
to ntsys...@googlegroups.com
At 05:22 PM 3/1/2022, Kurt Buff wrote:
Concur. This should be in the toolbox, even though it's dated:
https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
From that page: "There are many methods by which rootkits attempt
to evade detection. For example, a user-mode rootkit might intercept all
calls to the Windows FindFirstFile/FindNextFile APIs, which are used by
file system exploration utilities, including Explorer and the command
prompt, to enumerate the contents of file system directories. When an
application performs a directory listing that would otherwise return
results that contain entries identifying the files associated with the
rootkit, the rootkit intercepts and modifies the output to remove the
entries."
Hm. Not considering forensic preservation issues, I looked briefly at the domain user's Documents folder from the local admin account (unlike Win 10, I can do that in Win 7--and IMO it's stupid not to let me do it in Win 10 without jumping through a lot of hoops). I found a few dozen files beginning with ~, which were leftover from various crashes of various office and PDF sessions at various times over the past few years. I was going to delete them en masse. So I multi-selected them in File Explorer--and the machine locked up tight and hard. I had to kill it with the power button. More grist for the rootkit mill?
Beyond that, I would be unable resolve any non-rootkit-related discrepancies that tool found, so I am now leaning toward wiping the machine.
Thanks.
Ken Dibble
www.stic-cil.org
Hm. Not considering forensic preservation issues, I looked briefly at the domain user's Documents folder from the local admin account (unlike Win 10, I can do that in Win 7--and IMO it's stupid not to let me do it in Win 10 without jumping through a lot of hoops). I found a few dozen files beginning with ~, which were leftover from various crashes of various office and PDF sessions at various times over the past few years. I was going to delete them en masse. So I multi-selected them in File Explorer--and the machine locked up tight and hard. I had to kill it with the power button. More grist for the rootkit mill?
Beyond that, I would be unable resolve any non-rootkit-related discrepancies that tool found, so I am now leaning toward wiping the machine.
Thanks.
Ken Dibble
www.stic-cil.org
More of this kind of tool found here:
https://www.bleepingcomputer.com/download/windows/anti-rootkit/
On Tue, Mar 1, 2022 at 3:08 PM Michael B. Smith <mic...@smithcons.com> wrote:
- Sounds like a rootkit. Smells like a rootkit.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Â
- Did they change the admin password?
- Â
- If not, then wow … it’s gotta be a ddoosey! sey!
- Â
- Physical possession …
- Â
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Â
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forrced to allow..."
- --
- --
- To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5NBN4n_ykXNeMLQ26XydZCc16bJkvotmdhaQuw82OOLw%40mail.gmail.com .
Melvin Backus
Mar 2, 2022, 11:37:57 AM3/2/22
to ntsys...@googlegroups.com
Quite honestly at the age of that machine I’d seriously consider replacement. Worst case at least throw in a new drive, preferably SSD.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Jim Behning
Mar 2, 2022, 12:12:51 PM3/2/22
to ntsys...@googlegroups.com
I do not understand wipe. I would grab a brand new SSD drive for $50 and go. I would have no faith in a wiped hard drive. As others mentioned, not a lot of faith in the motherboard of that laptop.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Philip Elder
Mar 2, 2022, 1:34:16 PM3/2/22
to ntsys...@googlegroups.com
There are Intel SATA SSDs (DC 3500 series 3510, 3520) brand new in the bag for $50 on auction.
That’s where I’d go since it would give a performance boost to the unit thus giving it a lot more life.
We did that with Tecra Z50-A and -C series units that came back during refreshes and they are still going strong.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Ken Dibble
Mar 2, 2022, 1:34:49 PM3/2/22
to ntsys...@googlegroups.com
As always in the not-for-proft world, money is an issue. Different
funding contracts have different requirements.
I actually have a brandy-new never-used Dynabook Tecra sitting here; I have to get management permission to assign it to this person.
Time is also an issue; the user is off this week but needs to get back to work on Monday. This is a small city and our one local source of parts like this closed their doors almost a year ago, a very sad loss. So I would have to order it and get it delivered. Looks like I could do a rush order on Amazon and get a compatible drive for $58 + $10 shipping and get it tomorrow afternoon. That gives me Friday to get it set up, which is do-able. Again, requires management permission, but I like the idea if I'm not allowed to use the spare machine.
BTW, this was an excellent resource for me, who doesn't have much experience doing physical work on laptops:
https://www.youtube.com/watch?v=ONXTQzTgcvY
Thanks.
Ken Dibble
www.stic-cil.org
At 12:12 PM 3/2/2022, Jim Behning wrote:
I actually have a brandy-new never-used Dynabook Tecra sitting here; I have to get management permission to assign it to this person.
Time is also an issue; the user is off this week but needs to get back to work on Monday. This is a small city and our one local source of parts like this closed their doors almost a year ago, a very sad loss. So I would have to order it and get it delivered. Looks like I could do a rush order on Amazon and get a compatible drive for $58 + $10 shipping and get it tomorrow afternoon. That gives me Friday to get it set up, which is do-able. Again, requires management permission, but I like the idea if I'm not allowed to use the spare machine.
BTW, this was an excellent resource for me, who doesn't have much experience doing physical work on laptops:
https://www.youtube.com/watch?v=ONXTQzTgcvY
Thanks.
Ken Dibble
www.stic-cil.org
At 12:12 PM 3/2/2022, Jim Behning wrote:
I do not understand wipe. I would grab a brand new SSD drive for $50 and go. I would have no faith in a wiped hard drive. As others mentioned, not a lot of faith in the motherboard of that laptop.Â
On Wed, Mar 2, 2022, 11:00 AM Ken Dibble <ke...@stic-cil.org> wrote:
- At 05:22 PM 3/1/2022, Kurt Buff wrote:
- Concur. This should be in the toolbox, even though it's dated:
- https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
- From that page: "There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries."
- Hm. Not considering forensic preservation issues, I looked briefly at the domain user's Documents folder from the local admin account (unlike Win 10, I can do that in Win 7--and IMO it's stupid not to let me do it in Win 10 without jumping through a lot of hoops). I found a few dozen files beginning with ~, which were leftover from various crashes of various office and PDF sessions at various times over the past few years. I was going to delete them en masse. So I multi-selected them in File Explorer--and the machine locked up tight and hard. I had to kill it with the power button. More grist for the rootkit mill?
- Beyond that, I would be unable resolve any non-rootkit-related discrepancies that tool found, so I am now leaning toward wiping the machine.
- Thanks.
- Ken Dibble
- www.stic-cil.org
- More of this kind of tool found here:
- On Tue, Mar 1, 2022 at 3:08 PM Michael B. Smith <mic...@smithcons.com> wrote:
- Sounds like a rootkit. Smells like a rootkit.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Â
- Did they change the admin password?
- Â
- If not, then wow … it’s gotta be a be a ddoosey! sey!
- Â
- Physical possession …
- Â
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Â
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they woulld change the configurattion of the system. Now I'm curious as to "forrced to allow..."
- --
- To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGa9p4CJum9zdsDcT2AT163MoNYmoH_dK9H3SDWaqRtfGg%40mail.gmail.com .
Philip Elder
Mar 2, 2022, 2:37:10 PM3/2/22
to ntsys...@googlegroups.com
There was a time where the thought of swapping out an HDD for an SSD and adding or swapping memory modules was approached with much trepidation.
A Greek Puzzle they were.
And I agree, there are so many great videos on how to disassemble machines now that it’s fairly easy to get a handle on it.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621fb8c7.1c69fb81.61d73.4b17SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Bruce Roberts
Mar 2, 2022, 4:19:04 PM3/2/22
to ntsysadmin
I would also work anyway that i could to not reuse that machine or reuse that drive. You might want to sit on them cold in-case there is an issue which comes up in a few months. You do have a great reason to replace if its 9 years old - there has to be a contingency if it outright failed and was out of warranty. I also would not happily trust the data on that original C drive. The risk that there could be something on this machine that you or the end user will not know about easily would be too much for me. You can buy used units on eBay and Amazon of that vintage for a few hundred dollars if there really is a $ crunch.
Regarding HDD to SSD - we did a bunch of these upgrades 5-6 years ago when rolling out windows 10 on good hardware and the SSD replacement brought new life into the machine - it is the right time however to strongly considering a 9 year old unit.
Regarding HDD to SSD - we did a bunch of these upgrades 5-6 years ago when rolling out windows 10 on good hardware and the SSD replacement brought new life into the machine - it is the right time however to strongly considering a 9 year old unit.
Here in my environment - if this were to happen - that machine would be out of use, drive removed, hardware decommissioned - too much risk there. Physical access can allow for full control of a local account and from there all bets are off.
Good Luck
Bruce
Bruce
Reply all
Reply to author
Forward
0 new messages