id="info"

Question

Locked

stopping "shutdown.exe"

By mark_williams ·
Is there away to stop the shutdown.exe from being run from the cmd line, on workstations?.
IE the problem is "students" open either wordpad or notepad write "command.com" the save as .bat and run it.
It opens the cmd prompt box where they are able to call up the "shutdown.exe" and surf the network toshut computers remotely.
System is Winserver 2003 & students are in a seperate GPO to other users + they use login bats, so blocking .bat is out.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Did you find an answer?

by Angel_Tech In reply to stopping "shutdown.exe"

Hi there, sorry to open an old topic, but Im having a similar problem..
In this case, I wanna prevent users to run .bat files (they create these with notepad)..
We have a mixed pc environment (XP/2K) and server 2k3 .. so using the software restriction policies from the AD only work for XP but not for the 2k pcs..
I already 'disabled the command prompt', also enable the 'dont run specified win apps'.. but since it's a .bat file.. they still have access to the command prompt..
I could use the reg editor, but since we have so many in different buildings.. I was wondering if there's a way to prevent bat files from being run from the user account (they're limited accounts)..

any help would be appreciated.
thanks

Collapse -

No real help, but

by mark_williams In reply to Did you find an answer?

No real way as of yet, but did notice that if the users have just "user rights" the policies in server2003 do stop them. But once the user has "domain user" rights on the local machine it over writes the policy.

Collapse -

can you remove shutdown.exe from the system?

by robo_dev In reply to stopping "shutdown.exe"

I never tried this myself.

Even better, replace shutdown.exe with another executable....so if you use something like bat2exe or perl2exe and create a 'shutdown.exe' that is actually running 'logevent.exe' which logs the user-id and machine name to the server (of the miscreant who was trying to run shutdown).

Collapse -

Remove "shut down .exe"

by mark_williams In reply to can you remove shutdown.e ...

Did try this, no go though.
Windoz rebuilds the .exe @ reboot or start up.
So @ first thought the "replace" shutdown.exe wil not happen. But will try and edit it, and get back to you.

Collapse -

One solution

by Kjell_Andorsen In reply to stopping "shutdown.exe"

This solution is not the most elegant out there, but it does the job.

First create a Security group for everyone that should not be allowed to use shutdown.exe.

Then create a new GPO (or modify an existing one), Drill down to Computer configuration - windows settings - security settings - File system. Select add file and locate shutdown.exe (Usually c:\windows\system32\shutdown.exe ) then add the security group you just created and set "read and execute" permissions to deny.

The GPO will need to be applied on all computer OUs or on a domain level to make sure it applies to all systems.

This will allow everyone to still shutdown or reboot from the start menu, but not run shutdown.exe on remote systems.

Collapse -

One solution

by mark_williams In reply to One solution

Looks OK, will give it a bash.

One thing though.
The system runs a scheduled task using a .bat file to run a remote shut down command on all computers site wide. 70+comps.
If I remember correctly (saturday morning here)
it uses shutdown.exe.

Collapse -

If your having so much trouble it

by ComputerCookie In reply to One solution

might be an idea to run shared toolkit or if you have XP on all the PC's Steady State.

Benefits include not allowing computers to be shutdown or restarted.

Removing any application you want,not allowing them access to network unless mapped! No access to explorer, only access to my computer that only lists removable storage!

The computer always restarts from an image.

Back to Desktop Forum
8 total posts (Page 1 of 1)  

Hardware Forums