CodingVBS script problem

 

Press Ctrl+Enter to quickly submit your post
Quick Reply  
 
 
  
 From:  PNCOOL  
 To:  ALL
40631.1 
Right, I know next to nothing about coding.  It's not something I've ever enjoyed or wanted to do, but sometimes it becomes a necessity in my job and this current problem has me stumped.

We've got a bunch of clever shit kids at the moment that have worked out how to bypass all of the group policies set for our Windows 7 desktops by removing the network cables for said machines at certain points in time.  They pull it out on a reboot so that it gets none of the machine policies and then put it back in.  They log in and then pull it out again after about 10 seconds so that they don't get all of their user policies either.  That seems to get Windows 7 giving them some kind of default profile that enables them to get to the run command, regedit and the C drive.  This gives them the power to do what they like (which is usually to uninstall the anti-virus, install a remote tool and then piss off any users on that machine afterwards).  We never had this problem with Xp, so I don't know why Windows 7 makes it so easy to get full rights in.

Anyway, lots of people on forums suggest using a script to do it that runs as they log in.  It checks to see if they've got a mapped home drive (as that's one of the last things to be done in a GPO) and if it's not there, logs them off again.  I'll post the script below.  The problem I'm having is that my machines don't seem to run this script if i run it via the registry, which is what they're all suggesting.  They say to put an entry in HKLM->Software->Microsoft->Windows->CurrentVersion->Run that runs the .vbs file, but it just doesn't seem to run... as anyone.  If I run the script myself however, it runs fine.

Any ideas?  Do I have to be really specific with what I put in the registry entry?  I've tried the path it lives in, the path it lives in with either wscript and cscript at the start and also used double "\\" in the path as someone suggested that, but no luck.

Code:
'check for unplugged network cord during logon
'checks for mapped drives
'merge registry key to run
'| Windows Registry Editor Version 5.00
'| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
'| "check-home-dir"="\"C:\\WINDOWS\\vbs_logoff.vbs\""
'copy this vbs file to c:\windows directory

Option Explicit ' Added By SM

Dim objNetwork
Dim strUserName
Dim WshShell, WshNetwork, ObjFSO
Dim intReturn

Set objNetwork = CreateObject("WScript.Network")
Set WshShell = CreateObject("WScript.Shell")
Set WshNetwork = CreateObject("WScript.Network")
Set ObjFSO = CreateObject("Scripting.FileSystemObject")

' Wait until the user is really logged in... Added by SM
While StrUserName = ""
WScript.Sleep 100 ' 1/10 th of a second
StrUserName = WSHNetwork.UserName ' Get the user name
Wend


if strUserName = "Administrator" then
'Ignore the admins ;-) Added By SM

else

'Check if the home drive is there... Added By SM
if ObjFSO.DriveExists("z:") then

'Yes it is bail out... Added By SM
else
'No its not, has the network cable been pulled... Added By SM

intReturn = WshShell.Popup("Please ensure the network Cable is plugged in or the Wireless Button is on.", 8, "Login Error", 0)

If intReturn = 1 Then ' Trap the button click... Added By SM

'Wscript.Echo "You clicked the ok button. This would log you off"
WshShell.Run "logoff.exe"

Else ' The popup timedout log the user off... Added By SM

'Wscript.Echo "The popup timed out. This would log you off after a timeout"
WshShell.Run "logoff.exe"

End If

End if

End if

 



PNCOOL

0/0
 Reply   Quote More 

 From:  koswix  
 To:  PNCOOL     
40631.2 In reply to 40631.1 

 ▪                    
             ┌────┐    ┌────┐                      
          │    │    │    │ ▪                    
          │    └────┘    │                      
          │   ──┐  ┌──   │ ▪                    
   ┌──────┤    ▪    ▪    │                      
  ┌┘      │              │ ▪                    
┌─┤       └──┐  │  │  ┌──┘                      
│ │          │ ││  ││ │   ┌─┐                   
│ │          └─┼┤  └┴─┴───┘ │                   
│ │           ─┘│           │                   
│ │   ┌──────┐  └┬──────────┘                   
  │   │      │   │                              
  │   │      │   │                              
  └───┘      └───┘                              
If Feds call you and say something bad on me, it may prove what I said are truth, they are afraid of it.

+2/2
 Reply   Quote More 

 From:  patch  
 To:  PNCOOL     
40631.3 In reply to 40631.1 
Just ban the accounts of anyone who does that kind of thing. Problem solved.
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)  
 To:  PNCOOL     
40631.4 In reply to 40631.1 
Harness that creative energy and get the kids to fix it :Y
0/0
 Reply   Quote More 

 From:  Matt  
 To:  PNCOOL     
40631.5 In reply to 40631.1 
Isn't the more important thing trying to work out what this default profile is (is it a local machine profile?) and why it isn't locked down and password protected?

Seems like there is something much more fatally flawed if they can gain access to the local machine with Administrator privileges that easily.

doohicky

0/0
 Reply   Quote More 

 From:  PNCOOL  
 To:  Matt     
40631.6 In reply to 40631.5 
That's just it, they're logging into a network profile and when it loads, they remove the network cable before it's got all of the GPO settings, effectively giving them lots more rights.  So it's their profile, only it hasn't fully loaded.


PNCOOL

0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)  
 To:  PNCOOL     
40631.7 In reply to 40631.6 
You're doing something wrong.

I have no idea what, but if a correctly setup modern Windows network can be circumvented by temporarily pulling a network cable it would be all over the news and everyone here would probably already know about it. (And Microsoft would be working on a real patch, not a VBS kludge.)

The process of loading a profile should add privileges, not give full admin rights then remove them.

0/0
 Reply   Quote More 

 From:  PNCOOL  
 To:  Peter (BOUGHTONP)     
40631.8 In reply to 40631.7 
They can't circumvent domain privileges, but they can circumvent ones locally.  They pretty much end up with local admin rights.


PNCOOL

0/0
 Reply   Quote More 

 From:  Matt  
 To:  PNCOOL     
40631.9 In reply to 40631.8 
But that's kinda the point, why isn't the default profile locked down and if it isn't can you change the default profile so it is locked down or put a password on it?

Not saying you're doing it wrong, just that's what I would be looking to change rather than use a hack in the form of a VB script.

doohicky

0/0
 Reply   Quote More 

 From:  PNCOOL  
 To:  Matt     
40631.10 In reply to 40631.9 
Do you know how you change the default profile though?


PNCOOL

0/0
 Reply   Quote More 

 From:  Matt  
 To:  PNCOOL     
40631.11 In reply to 40631.10 
No, I don't. But the profile must be being loaded from somewhere, so you must be able to change it.

Link: http://www.mombu.com/microsoft/windows-group-policy/t-group-policy-being-bypassed-by-unplugging-the-network-cable-511604.html

doohicky

0/0
 Reply   Quote More 

 From:  Kenny J (WINGNUTKJ)  
 To:  Matt     
40631.12 In reply to 40631.11 
I like that their forum filters the "cum" out of "circumvent".

Kenny
+1/1
 Reply   Quote More 

 From:  PNCOOL  
 To:  Matt     
40631.13 In reply to 40631.11 
Aha, you actually just copy another profile and make it the default.  Nice one, I'll try that.


PNCOOL

0/0
 Reply   Quote More 

 From:  PNCOOL  
 To:  Kenny J (WINGNUTKJ)     
40631.14 In reply to 40631.12 
I bet no one on that forum lives in Scunthorpe then.


PNCOOL

0/0
 Reply   Quote More 

 From:  af (CAER)  
 To:  PNCOOL     
40631.15 In reply to 40631.1 
I may be completely off target here, but could the problem be that you need to use an actual executable in the registry entry, and supply the script's filename as a parameter?

Like instead of just

"C:\Windows\HackyScript.vbs"

you'd have

"C:\Windows\RunVBScript.exe C:\Windows\HackyScript.vbs"
0/0
 Reply   Quote More 

 From:  graphitone  
 To:  PNCOOL     
40631.16 In reply to 40631.14 
Or Penistone...
0/0
 Reply   Quote More 

 From:  Kenny J (WINGNUTKJ)  
 To:  graphitone     
40631.17 In reply to 40631.16 
Bawdrip should be fine though...

http://i.imgur.com/XRbGpt2.jpg

Kenny
0/0
 Reply   Quote More 

 From:  graphitone  
 To:  Kenny J (WINGNUTKJ)     
40631.18 In reply to 40631.17 
As if anyone knows anything about coding living in Bawdrip. All their time is taken up gossiping about their town's name. I'm sure it sounds more salacious when spoken with your subtle, yet sonorous lilt. </s's>

Quote: From the Bawdrip wikipedia page...
and most of the houses are far enough away to qualify for free bus transport

Wow, I wish I lived in a far away house so I could get a magical free bus service too.

0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)  
 To:  graphitone     
40631.19 In reply to 40631.18 
Apostrophes do not make fucking plurals.
0/0
 Reply   Quote More 

 From:  graphitone  
 To:  Drew (X3N0PH0N)     
40631.20 In reply to 40631.19 
 :-(( I needed something in there to define what I meant. In hindsight I should've typed /Ss. However that looks like I'm trying to either refer to or close the SS down and what a nice neighbourly bunch of boys they were. Not that that's got anything to do with a farcical HTML tag. I'm sure there's (probably) a point in there somewhere, but I've been distracted by breakfast and work and any train of thought I had going has pulled out of the station leaving all the passengers behind looking confused and disgruntled.
0/0
 Reply   Quote More 

Reply to All  
 

1–20  21–23

Rate my interest:

Adjust text size : Smaller 10 Larger

Beehive Forum 1.5.2 |  FAQ |  Docs |  Support |  Donate! ©2002 - 2024 Project Beehive Forum

Forum Stats