A funny thing happened on my way to the remote registry…
I became an evil hacker who was preying on I.T. managers!!! At least that’s what the initial reaction was. I was caught off guard, the big boss called me in his office and had asked why I had accessed his PC along with other (high level) managers? The CEO also wanted to know what business I had accessing his machine? I had NO idea what they were talking about, but I had to find out what was going on…
FYI - This can and may have already happened to you!
Scenario: Got a call from our help desk, users were having issues with their PC’s. Troubleshooting the issue revealed vendor supported systems where the time synchronization configuration was not set up to use our domain. Fixed the issue, thought that was the last I heard of that… I was wrong. The big boss came to me and said, “I want a report of time synchronization settings for every computer in the domain!” I said… “No Problem.”
I wrote a script to check the remote registry time server parameters:
(System\CurrentControlSet\Services\W32TIME\Parameters)
Started the script around 5:00PM and went home. I wasn’t going to wait around for 5000+ machines to be enumerated. In the morning my results were completed and I shipped the Excel report to the boss.
Couple of days later is when I was asked what I was doing on his machine. I said, “show me what you are talking about.” He opened documents and settings and there was my profile. It had a modified date of (pick a date) at 7:00PM. I put two-an-two together and realized that the mod date stamp reflected the same time I ran the script. I had him delete the profile and I re-ran the script pointing to his machine. Sure enough, my profile appeared again. I had no idea that running a script that connects to the remote registry will create a user profile on the remote machine. So that got me out of hot water but know I have a profile on every machine in the company, oh boy!
I have not done any research on why this happens, thought I would warn you that it can happen, and am curious to know why? - If anyone wants to chime in…
Here is the link to the script file I used
Comments
I’m curious as well. Could you post the script for inspection?
Added link to the script file at the end of the article.
http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=1278
Maybe this explains?
Can’t say that I have seen this when enumerating wmi classes. This points to what I noticed:
“Some testing verifies what you have seen. On XP machines a remote profile is created when using StdRegProv.”
Thanks for the link.
When you access StdRegProv, even via WMI, on a domain joined computer, in order to provide proper security, your account must be fully parsed. The reason is that, even if you are a domain admin as well as a local admin, group policy can affect what can and cannot be accessed or modified on a given system’s registry since, as we all know, group policy is really nothing more than a bunch of registry and ACL settings. In order to figure out your RSOP and your local rights, since you aren’t likely directly in the local admins group, your entire account context must be parsed. This causes the WinLogon service to launch which, by extension, causes a profile to be generated so that there is a place to store any temp files as well as your user profile information on the local system.
I hope that helps.
So maybe there is a script that can delete the profile acct after the info you want is returned?
DL
Yeah I have a profile on every machine in the company for a similar reason too.
Management are not so touchy about IT staff having profiles on machines though so has never been an issue for me.
You can use Delprof.exe to remotely clean up profiles.
Delprof.exe is available in the Windows Server 2003 Resource Kit.
Leave a Comment