HOw to crash a PC by edit the registry

[imheywood]

I have been informed by a collegue, that a member of staff has changed the registry so that on a specific date & time the machine will crash. This change has been done to about 100 machines! Can anyone suggest were to start looking in the registry for any changes. Thanks

 

[kippy13]

I think it could be in a number of places in the registry-but wait and a number of more informative posts will surely appear to answer that question.
What I would like to say is:
Has this member of staff been asked anything about what he/she has done....why did they do it....what did they do......have they been disciplined yet......are you sure that this isnt just a wild goose chase....how did they do it to 100 PCs without anyone stopping them...why did they have admin rights on that many PC's?
This sounds like a wild goose chase...first option woulf be to talk to member of staff involved.

***************************************
Looking for the best answers:
faq222-2244
Keeping your system clear of malware:
faq608-4650
***********************************
Dont forget to post back with the eventual resolution.
***************************************

 

[imheywood]

The person who did it had admin rights as they worked in the IT dept and they also left last week! I agree it may be a wild goose chase but I need to have a look. I was inform by another member of my team.
If it is a wild goose chase i dont want to be spending hours looking, but then again need to be sure.......

 

[kippy13]

There are a number of ways this person could have done this without directly manipulating the registry-setting up a scheduled task for example....
Best option get in contact with him, threaten legal action an ask what he did.
Otherwise wait for a more apt reply here.

***************************************
Looking for the best answers:
faq222-2244
Keeping your system clear of malware:
faq608-4650
***********************************
Dont forget to post back with the eventual resolution.
***************************************

 

[pbxman]

open regedit and look in hkey local machine\microsoft\windows\current version\run for reference to a program, or as stated, check the scheduled tasks...start/programs/accessories/system tools/scheduled tasks.

If you find any scheduled tasks, delete them. If you're stuck on the registry part - post back and we'll try to help. If he edited the registry, it could be anywhere really. Thats like a needle-in-the-haystack thing. Startup sections such as one example i referred to are *most likely* where this was done..depending on his level of expertise.

pbxman
Systems Administrator

Please let Tek-Tips members know their posts were helpful.

 

[bcastner]

Anything done would have to appear in the Run keys of the registry, or as kippy13 noted, a scheduled task.

If you post a Hijack This log here, we can all help to clean any registry entry.

http://mjc1.com/mirror/hjt/

You can review and remove any Scheduled Task by looking at the Control Panel, Scheduled Task listing of jobs.

kippy13 makes an excellent point that you should not dismiss. I am uncertain where you are located, but in the US there are nearly draconian laws for abuse of a computer network as you described. The penalties are impressive, and at the moment enthusiasticly enforced by both prosecutors and judges.

I would call the local police and make a formal incident report. This sort of problem is no longer considered a harmless prank.

I suspect you will find the individual remarkably compliant about fixing any suprise he may have left after a visit from your local police detective squad. Likely there will be a member of your State Police and the FBI when they have a chat with the fellow. This sort of antic is not treated as a funny prank in the US anymore.

 

[imheywood]

I have looked in the HKLM\..\currentversion\Run etc. Bascially the comman places that things usually get entered in the registry. Gonna keep looking though!

 

[bcastner]

Run Hijack This as noted above.

 

[jrbarnett]

Also check that they haven't installed the Blue Screen of Death screensaver as well.

John

 

[kippy13]

If they have done this and managed to do it to 100 PC's you would expect that it was some pushdown that was used to effect all 100 pc's.
Did this user have access to logon scripts or policys?
More importantly get the police onto this guy.


***************************************
Looking for the best answers:
faq222-2244
Keeping your system clear of malware:
faq608-4650
***********************************
Dont forget to post back with the eventual resolution.
***************************************

 

[jrbarnett]

imheywood

Is there any possibility that your colleague was having a joke at your expense when he told you?

John

 

[kippy13]

This is what I was thinking as well, as mentioned in my first post.
Its easily possible that this is a wind up.
The only way to find out is to threaten to bring in the police.

***************************************
Looking for the best answers:
faq222-2244
Keeping your system clear of malware:
faq608-4650
***********************************
Dont forget to post back with the eventual resolution.
***************************************

 

[technome]

Perhaps this ex-employee is just waiting to call a lawyer when accused of nework terrorism ( false accusations). Should be worth some real fine cash if you act rashly. I would call a lawyer before discussing this with anyone in your firm. If this "ex" has discussed his little plan with multiple employees, you have witnesses, with one person it is hearsay. Without real evidence, no court will convict. Forget the police and concentate on the machines

Aside from checking the registry, you might perform a search on a few computers for files created in the last month and have the IT department look at the results.

If the guy is really good he could have multiple ways to exploit the machines aside from a scheduled task, such as a service or device driver.

The odds of this "ex" actually doing something like this are extremely low. Every tech knows being dragged into court would be extremely expensive even if not convicted. 25 years ago I knew someone who wiped a mainframe, but have never heard of anyone destroying anything more than a workstation since.

 

[imheywood]

I wasn't told personally. He told somebody else in the dept. The guy doesn't like me, he hates the company and he basically had nothing to do so had plenty of time to tamper with computers. I'm getting the person who he told to email him and tell him that she is gonna grass him up. See what he does then!!

 

[wcburton]

If you have not yet found anything try this:

Take an image backup of one of the affected PCs.
If you know the date and time of the attack, set the PC ahead and see what happens (should be disconnected from the network when doing this).
If you don't know the date and time, try a few different dates.

It could also be that these machines are listening for something to trigger the action from another machine. Look for any strange listening ports.

 

[JatCan]

Regardless of lagl repercussions, if someone really has done this, simply run a repair on the OS, it will rebuild all system and system reuired registry entry's, replaced corrupted and missing system files...blah, blah, blah....if this is a corporate environment then the systems should be recoverable with little more than an hours work over the network...

Cheers,

J

 

[Gersen]

JatCan, that's an hour's work multiplied by 100 systems. If you re-install the OS over the existing OS, you don't remove registry keys that have been added. If you re-install the OS in such a way as to wipe out the old registry, you lose your user data, profiles, and registry info needed for installed applications.

The suggestion from wcburton about imaging a system then advancing the date sounds like it will give you the best info regarding any damage that may have been done.

G.


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
There are only 10 kinds of people; those who understand binary and those who don't...