I need to remotely perform a kill-switch on a Windows 7 Enterprise computer connected to an AD. Specifically, I need to
- remotely access the machine without visible user interaction (I have a domain account which is administrator on the machine)
- make it so that the machine is not usable (crashes/reboots and does not boot back)
- preserve the contents of the machine (be able to document what was changed)
The machine must be damaged enough that basic+ troubleshooting fails and requires it to be brought to a company help desk.
In order to anticipate comments: I understand that this sounds shady but this action is required, authorized and legal – within a corporate environment.
Coming from a Unix background, I do not know what is feasible remotely on a Windows machine. Ideally (and again, with a unix background in mind) I would be looking at actions like
- erasing the MBR and forcing a reboot
- removing key .
dlls which would not be automatically recovered during a safe boot
EDIT following comments: this is a very specific forensics case which needs to be handled via this convoluted way.
Best Answer
You don't need to actually destroy the machine; just force it to shut down and lock out the user.
shutdown /m <machinename> /f /t 0to force a computer shutdown.Just make sure to shut down the computer before disabling its account, otherwise you will be locked out from remote management because it will no longer be able to authenticate anyone against the domain, including yourself.
If the user also has a local user account on the target computer, you can disable it before performing the above steps; you can do so by starting the Computer Management MMC on any other computer as a domain administrator and connecting it remotely to the computer you want to manage; from there, you can also take any other necessary steps to make sure nobody can log in to the machine using local user accounts (such as disabling them or changing their passwords).
Side note: if this is for legal/compliance issues, this is a very strong reason to not change or delete anything on the machine; otherwise the user could later say (perhaps correctly) the machine has been tampered with; also, if you delete anything on the filesystem, you could lose valuable data (who can tell if the user has stored personal files or applications in system folders?).