Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as the process below demonstrates.
- First, change the target account’s AD password. This will prevent them from logging back in
- Next, target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: PsExec.exe \\<ip> -d -u <domain>\Administrator -i cmd.exe /c “C:\windows\system32\rundll32.exe user32.dll, LockWorkStation”
- Now it’s time to sieze the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.
This concept can be expanded further, as Darryl Griffiths pointed out to me on LinkedIn. Coupling the initial idea of locking the workstation with AD Group Policies to modify the Power settings on the target workstation, one can even prevent the machine from shutting down, e.g. when the power button is clicked or the laptop lid is turned off. The Power Management in Windows normally allows this type of overriding the functionality of the power button, and more can be read about this concept in the following TechNet article: https://blogs.technet.microsoft.com/askds/2008/03/21/managing-power-with-group-policy-part-3-of-3/
Get PSExec here: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx?f=255&MSPPError=-2147217396
Here is a video demonstrating the remote terminal lockout.