Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PsShutdown. ( logging who sent the command to my system)

Status
Not open for further replies.

tdrclan

Programmer
Sep 18, 2007
52
US
How do I tell what computer sent a PSshutdown command to my computer?

last night at 6:30 my machine shutdown.
the log shows the administrator account was used but no workstation id was listed.

is there a way to log where the psshutdown is coming from???

TIA
Tim
 
I'm not sure there is. As a test, I shutdown my second PC and reviewed the logs and while it listed which account executed the command, no PC was listed.

If there is firewall software installed on your PC and it's running, perhaps it logged something
 
From here
Every time when you execute remote operation with PsShutdown, it installs and starts service on target PCs though an access to their Admin$ shares. Then PsShutdown sends command to service and once operation is complete, it stops and uninstall service.

I think, you should look for service creation and deletion. It works if you have user privilege auditing enabled, which by default is off on workstations.

===
Karlis
ECDL; MCSA
 
If you go into Event Viewer try looking for an Event ID "4674" or "7035." I don't think it will tell you were the command came from exactly, but if you filter through the tabs you might get something.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top