A funny thing happened on my way to the remote registry…

By Jesse Hamrick • June 17th, 2009

I became an evil hacker who was preying on I.T. managers!!! At least that’s what the initial reaction was. I was caught off guard, the big boss called me in his office and had asked why I had accessed his PC along with other (high level) managers? The CEO also wanted to know what business I had accessing his machine? I had NO idea what they were talking about, but I had to find out what was going on…


FYI – This can and may have already happened to you!
Scenario: Got a call from our help desk, users were having issues with their PC’s. Troubleshooting the issue revealed vendor supported systems where the time synchronization configuration was not set up to use our domain. Fixed the issue, thought that was the last I heard of that… I was wrong. The big boss came to me and said, “I want a report of time synchronization settings for every computer in the domain!” I said… “No Problem.”

I wrote a script to check the remote registry time server parameters:
(System\CurrentControlSet\Services\W32TIME\Parameters)
Started the script around 5:00PM and went home. I wasn’t going to wait around for 5000+ machines to be enumerated. In the morning my results were completed and I shipped the Excel report to the boss.

Couple of days later is when I was asked what I was doing on his machine. I said, “show me what you are talking about.” He opened documents and settings and there was my profile. It had a modified date of (pick a date) at 7:00PM. I put two-an-two together and realized that the mod date stamp reflected the same time I ran the script. I had him delete the profile and I re-ran the script pointing to his machine. Sure enough, my profile appeared again. I had no idea that running a script that connects to the remote registry will create a user profile on the remote machine. So that got me out of hot water but know I have a profile on every machine in the company, oh boy!

I have not done any research on why this happens, thought I would warn you that it can happen, and am curious to know why? – If anyone wants to chime in…

Here is the link to the script file I used


Email This Post To A Friend Email This Post To A Friend

Comments(13) PowerShell Scripting

Comments

By cptomlly on June 17th, 2009 at 2:34 pm

I’m curious as well. Could you post the script for inspection?

By Jesse Hamrick on June 17th, 2009 at 3:01 pm

Added link to the script file at the end of the article.

By Jesse Hamrick on June 18th, 2009 at 8:05 am

Can’t say that I have seen this when enumerating wmi classes. This points to what I noticed:
“Some testing verifies what you have seen. On XP machines a remote profile is created when using StdRegProv.”

Thanks for the link.

By Merddyn on June 23rd, 2009 at 6:13 am

When you access StdRegProv, even via WMI, on a domain joined computer, in order to provide proper security, your account must be fully parsed. The reason is that, even if you are a domain admin as well as a local admin, group policy can affect what can and cannot be accessed or modified on a given system’s registry since, as we all know, group policy is really nothing more than a bunch of registry and ACL settings. In order to figure out your RSOP and your local rights, since you aren’t likely directly in the local admins group, your entire account context must be parsed. This causes the WinLogon service to launch which, by extension, causes a profile to be generated so that there is a place to store any temp files as well as your user profile information on the local system.

I hope that helps.

By David Lucero on August 21st, 2009 at 11:59 am

So maybe there is a script that can delete the profile acct after the info you want is returned?
DL

By Sirikan on September 22nd, 2009 at 6:13 pm

Yeah I have a profile on every machine in the company for a similar reason too.

Management are not so touchy about IT staff having profiles on machines though so has never been an issue for me.

By jfrmilner on November 11th, 2009 at 8:41 am

You can use Delprof.exe to remotely clean up profiles.
Delprof.exe is available in the Windows Server 2003 Resource Kit.

By ProgrammableFun on May 16th, 2010 at 8:40 pm

We use psexec from sysinterals and use the switch that keeps it from creating a profile. Works for executing VBS, BAT, CMD and PS scripts. Plus, you can include a text file to execute on all machines from a remote box or you can run it via policy on login, shutdown or at a designated time.

By RichRumble on May 26th, 2010 at 4:10 am

@ProgrammableFun this is not true when using wmi to query StdRegProv, the profile will be updated or created even using psexec, winexe(linux). This only happens on XP, no Vista, Win7, 2003 or 2008.
-rich

By Aaron on December 24th, 2010 at 12:34 pm

i enjoy you pointing this out due to the fact I have never ever viewed like like this. For that motive I could possibly point out some of your points by myself blog; I hope you’re Okay with this. Do you suppose possibly from the future we can function collectively somehow between our websites? Inform me what you assume.
SMS

By RĂ©da on August 18th, 2012 at 2:37 pm

I found a colleague’s profile on my machine, after some hisitation, I have never asked him what he was doing on my machine…But I find it disgracefull…Next time, I will report him for sure…

 

Leave a Comment

« | Home