- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
The most common scenario is this:
- The user faces an issue.
- The user created a ticket and left the computer.
- To understand the problem, you need to see the user's desktop or the error message.
- You can access the user's computer physically or via remote control, but it's locked and you don't know the user's password.
- You can't access the user session without changing their password.
Our user's name is Jake. Let's say his desktop looks like this before he the locked the computer:
Now the user locks the screen and leaves work, hoping you will fix it while he is gone.
You log on with a local or domain user that has access to the computer. In my example, the user name is ws_samilaiho.
If you open the Task Manager and go to the Users tab, you can see the name of the account that is logged in. If you right-click it and choose Connect, you have to enter the user password to access the session.
Luckily (sadly for security), Microsoft has left a backdoor. 😊
Run PsExec with the following syntax:
PSEXEC -SID cmd.exe
Now start Taskmgr.exe from the new command prompt (make sure Task Manager isn't already running).
Now, go to the Users tab, right-click the user session, and click Connect.
And there you are, on the user's desktop without knowing their password 😉
If you are worried about this from a security perspective, just remember, you are an admin of the box; hence, you can do whatever you want. Standard users can't do this. This also demonstrates nicely why end users shouldn't ever have admin rights.