Tech Support Guy banner
Status
Not open for further replies.

Controlling Another Computer

2K views 14 replies 3 participants last post by  dmccoy 
#1 ·
Hi,

Is it possible for someone to use an API to control all your computer on your network?

Elaine
 
#3 ·
I've just found a file migrated called shell unlock

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Sediment</Author>
<Description>USO Scan upon Unlock</Description>
<URI>\Microsoft\Windows\rempl\shell-unlock</URI>
</RegistrationInfo>
<Triggers>
<SessionStateChangeTrigger>
<Enabled>true</Enabled>
<StateChange>SessionUnlock</StateChange>
</SessionStateChangeTrigger>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[Provider[@Name='Microsoft-Windows-NetworkProfile'] and EventID=10000]]</Select></Query></QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>6</Priority>
</Settings>
<Actions Context="LocalSystem">
<Exec>
<Command>%ProgramFiles%\rempl\remsh.exe</Command>
<Arguments>/RunUsoScanOnly</Arguments>
</Exec>
</Actions>
</Task>

is that normal?
 
#5 ·
Most remote admin programs need to start up upon boot. Go download AutoRuns from MS SysInternals:

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

It will show you almost all programs in the registry that start up automatically. I remember there is a right click choice to check a file against VirusTotal. Check for files that look familiar but spelt wrong, like 'svchosts' instead of 'svchost'
 
#10 ·
It would be much easier to help you if you upload the file rather then post all the screenshots

1. Make sure Hide Microsoft Entries is Checked Under the Options Menu
2. After Scanning is Finished
3. Go to File then Save
4. Save as AutoRuns.am file or as Autoruns.txt to known location like your Desktop
5. Upload file to your next reply. You may have to compress the file to .zip before uploading if you use .am extension.
 
#14 · (Edited by Moderator)
That account unknown can be the result of you previously deleting an account. When you delete an account, the permissions for it remains embedded in files which that account used to be able to access.

Don't ask me to go thru the Autoruns screen shots for you. I just save a baseline and compare them.
 
#15 ·
Yes! You will either have to update the correct Permissions or you can try saving to desktop
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top