My colleague often shuts down my machine through the LAN - how do I prevent it?

Question

This might sound weird. My colleague and I were working on a Windows machine. He frequently shuts it down through the LAN.

He usually follows these steps:

Access command prompt, enter shutdown -i.
Choose my IP address, click on Shutdown.
Select a timeout of 2–3 seconds.
Click OK

Unfortunately, I cannot disable remote access to my computer. Is there a way to prevent this?

Perhaps you could ask him to stop shutting down your computer remotely as well? It's a waste of company time and resources. — Thomas, Feb 15 '14 at 07:42
We made a game of this in Uni trying to remote shutdown each other's PC. We all got very good at going Win+r 'shutdown -a' — 50-3, Feb 15 '14 at 07:43
Is he the network admin? Do you have local admin rights? You say "were" so the situation is no more there? — Bleeding Fingers, Feb 15 '14 at 19:22
@Thomas see your point, but isn't it worrying example of stupidity of default Win 7 setup? *Anyone* can shutdown your machine by default?? Is Microsoft for real? — Tomas, Feb 16 '14 at 09:33
You could either ask him to stop, kindly, or less kindly, ask your superior to make him stop, or plug your/his machine off the network. Just, don't break his arms. It's not considered "acceptable retaliation". — Kheldar, Feb 16 '14 at 23:21
It's unfortunate that the highest-voted answer, although confirmed by several mods as being on-topic, is now locked and cannot be upvoted; while the technical solution, which many of us obviously believe to be missing the point, is still open for voting. Just saying. — alexis, Feb 17 '14 at 12:07
i am little confused which answer to accept,technically makz answer solves the problem,but david 's answer solves the issue,which to accept :( — BlueBerry - Vignesh4303, Feb 17 '14 at 12:09
@BlueBerry, I recommend you accept the one that, *in your opinion,* gives you the most useful advice. The problem you described has a social aspect, so you're not constrained to "accept" a technical solution. It's your choice. (I think my own preference is clear ;-)) — alexis, Feb 17 '14 at 16:31
@Tomas: no, by default you need Administrator privilege to remotely shutdown a computer. Odds are the colleague does indeed have admin privilege, though it's also possible that the machine is configured improperly. — Harry Johnston, Feb 17 '14 at 20:13
@HarryJohnston *"by default you need Administrator privilege to remotely shutdown a computer."* - you mean Administrator privilege on *his own* machine, not the remote one? That can be anyone! Just bringing his laptop and connecting to the LAN. This is definitely not a safe. — Tomas, Feb 17 '14 at 21:12
Harry is correct. By default, you need administrator rights on the remote machine, the one being shut down. Some machines are misconfigured, like Harry said, or some companies put everyone in the local admins group. Higher education is notorious for things like this. — Patrick Seymour, Feb 17 '14 at 21:16
@Tomas: no, you need to be an administrator on the machine you're trying to shut down. I'd have thought that was obvious! — Harry Johnston, Feb 17 '14 at 21:24
@all is it possible that the colleague sneaked into his pc and created a admin ccount and hid it? — MAKZ, Feb 18 '14 at 03:03
@MAKZ **colleague is not network admin and we both are just domain users** — BlueBerry - Vignesh4303, Feb 18 '14 at 05:38
@alexis The answer had to be locked to prevent the comments from escalating. It's now unlocked again and we're watching it. — slhck, Feb 18 '14 at 12:11
Collect the evidence( logs ), and present them to superiors/human department? If they are not completely incompetent the problem will be resolved. — this, Feb 18 '14 at 13:41
@BlueBerry-vignesh4303: if your colleague does not have admin credentials on your machine, then there's something wrong with the machine. Non-admin users are not supposed to be able to shut down machines remotely. Get your IT support staff to investigate. — Harry Johnston, Feb 18 '14 at 19:54
What does `net localgroup Administrators` (run from the command line) show? — Harry Johnston, Feb 18 '14 at 20:42
@BlueBerry-vignesh4303 - Why does he do that ? Anyway, thanks for the question. This could be a good prank though. — Steam, Feb 18 '14 at 22:50
So there's a guy who uses pranks to form relationships with his coworkers. You can either shut him down, or play pranks on him. Have you tried pranking him back? Easy method would be to buy a wireless keyboard and mouse, and put the tiny dongle into his machine. Whenever he shuts down your computer, shut his down, or put a brick on the space bar until your computer comes back up, or send an email, or start his browser and load an annoyingly loud website, or, or, or. Once he removes the dongle, hide a noisemaker around his cube, etc, etc. harmless pranks don't have to be a bad thing. — Adam Davis, Feb 19 '14 at 15:45
See if [this](http://www.thewindowsclub.com/prevent-users-shutting-down-restarting-windows-computer) article might help you — Mr. Alien, Feb 23 '14 at 19:12

score 197 · Accepted Answer · answered Feb 15 '14 at 13:05

197

You are seeking technical solutions to a social problem and you're trying to address the symptoms instead of the underlying cause. This runs the risk of failure if he finds some other way of shutting down your machine.

Talk to your friend and remind him that you're not pals messing about at university, any more: you're professionals being paid to do a job. His behaviour is completely unacceptable in the workplace. He is deliberately stopping you from doing your job which, ultimately, is putting your job at risk. What happens when your boss calls you in to explain your poor performance? Do you accept the blame and get yourself fired? Or do you blame your friend and get him fired? Friends don't put friends in that situation.

Tell your friend that he needs to stop. Right now. Period. If he doesn't, you're going to have to talk to management.

answered Feb 15 '14 at 13:05

David Richerby

1,901
3
18
16

58

Since there's been some concern about the non-technical nature of this answer: [We discussed a similar case a few years ago on the meta site](http://meta.superuser.com/questions/3410/are-purely-non-technical-answers-to-technical-problems-on-topic) and the consensus is: While questions need to be technical to be on topic, answers don't. They need to answer the question. Which this one does. – Daniel Beck Feb 15 '14 at 19:23
1

Stopping one person in this manner may work, but what happens when an anonymous script kiddie happens onto this security hole? – Nick T Feb 20 '14 at 23:15
2

@NickT If the vulnerability is accessible from outside then a technical fix on the OP's machine won't help much, either, since every other machine in the company will need the same fix. – David Richerby Feb 20 '14 at 23:18
+1 for recognising the difference between a technical and a business situation. – user1725145 Feb 25 '14 at 09:17
Yes, it seems logical that social problems are most often better dealt with social counter-actions. (In some cases, not excluding retaliation). – Stephane Gosselin Feb 27 '14 at 15:38

score 162 · Answer 2 · edited Feb 15 '14 at 22:07

162

Run gpedit.msc and try disabling the option as shown below. Restart your PC to see if it works:

^{Click to enlarge}

edited Feb 15 '14 at 22:07

nixda

26,823
17
108
156

answered Feb 15 '14 at 08:13

MAKZ

1,447
3
12
26

24

The right to shut down without logging on pertains to local console shutdowns. For remote shutdowns, you should go to Local Policies | User Rights Assignment | Force shutdown from a remote system. – Patrick Seymour Feb 15 '14 at 15:52
1

@PatrickS. thanks, but for that security setting `determines which users are allowed to shut down` , and it's default value is `Administrators` . Apparantly his colleague is not an Administrator to his PC – MAKZ Feb 15 '14 at 15:58
14

+1 Finaly a real answer. Enjoy the "Good answer" badge. – Tomas Feb 16 '14 at 09:40
3

@MAKZ I didn't see any mention that his colleague is not an admin. Also, it is the case that the policy you mention pertains to local (console) shutdowns. Read the explanation of the policy. – Patrick Seymour Feb 16 '14 at 21:36
And if IT at this company has a legitimate reason to shut down the computer? After pushing a security update, for example? – Ben Feb 17 '14 at 00:48
@PatrickS. the explanation of the policy reads `In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.` – MAKZ Feb 17 '14 at 00:55
1

@Ben if the company is an admin to his pc, then they may remote login and then perform remote shutdown. but the coleague is not likely an admin. if the colleague is an admin, he has the same authoruty to remote shutdown as the ccompany has, and he is mis-using it – MAKZ Feb 17 '14 at 00:57
4

If the colleague weren't an admin, he wouldn't be able to shut down the machine remotely (unless the machine is badly misconfigured). The setting you've indicated is completely irrelevant. – Harry Johnston Feb 17 '14 at 20:16
@MAKZ Right before that, it talks about the Windows logon screen. – Patrick Seymour Feb 17 '14 at 20:41
When you use `shutdown.exe` to shut down a remote machine, the first thing it does is to use your account credentials to log into that machine. So while the explanation quoted above is absolutely correct, it isn't relevant to this situation, because the user *is* logged in. – Harry Johnston Feb 17 '14 at 22:59
@HarryJohnston but his colleague is not ! – MAKZ Feb 18 '14 at 03:34
1

If you are on Home Premium, by copying some DLL's and registering some components from the windows 7 DVD (or windows 8, if you have to) you can get gpedit. So this works for everyone. – Wyatt Ward Feb 18 '14 at 13:35
that requires **sneaking** – MAKZ Feb 18 '14 at 13:38
2

@MAKZ: the colleague is using `shutdown.exe` to shut down the OPs machine. This only works because `shutdown.exe` uses the colleague's network credentials to log into the OPs machine. So the colleague *is* logged in. – Harry Johnston Feb 18 '14 at 19:51
This could be avoided by psexec'ing most likely. – Yet Another User Nov 14 '15 at 21:20

Patrick Seymour · Answer 3 · 2014-02-17T21:26:28.590

The policy you want to change is in

Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment

Locate the policy named "Force shutdown from a remote system." By default, this policy has a value of Administrators. Just edit it to be an empty list, or put your friendly trusted IT person in there instead.

policy to force shutdown remotely

A note about "Shutdown: Allow system to be shut down without having to log on"

This policy applies to local shutdowns only. That is, it controls whether someone present at the computer can shut it down without having to log on first. By default, this policy is Enabled on workstations, and you can see the shutdown button in the lower right corner of the Windows logon screen.

local shutdown allowed

If you set this policy to Disabled, you will no longer see the shutdown button on the logon screen. A user would have to log on to the computer to shut it down. This is typically how servers are setup.

local shutdown prohibited

This policy does nothing to prevent a remote shutdown. You can try it yourself on a system that you can shutdown remotely. Set this policy to Disabled, and you will still be able to shut down that system.

A note about the Remote Registry service

Disabling the Remote Registry service does not prevent remote shutdowns. Remote Registry only affects the ability of the Shutdown Event Tracker to record the reason for the shutdown. If the reason cannot be recorded, the shutdown still occurs.

Note, however, that if you have administrator access, you can bypass this policy if you really want to. It just makes it a little trickier. The bottom line is that if the bad guy has admin to your machine, you've already lost. — Harry Johnston, Feb 17 '14 at 21:27
@HarryJohnston Not disagreeing, but how is that done? I might need to prevent that in the future, if possible. Maybe I shouldn't ask in public. :) — Patrick Seymour, Feb 17 '14 at 21:28
Well, as an example, you could use `psexec` to run `shutdown` on the machine locally. The "deny access to this computer from the network" policy should block this class of attack, but may also prevent legitimate access as in the OPs situation. — Harry Johnston, Feb 17 '14 at 23:02
True. I always worry about telling people how to set policies in a corporate environment. Hate to make a fellow IT geek mad. — Patrick Seymour, Feb 17 '14 at 23:07

PathToLife · Answer 4 · 2014-02-16T07:56:16.820

18

This is a simple way to fix this problem without admin privileges.

But still.. Talk to your colleague man. I leave this with the community for any circumstances where disciplinary action is not readily available e.g internet cafe.

Put below code in a new text file. then change .txt extension to .bat

if you do not see the .txt extension go into:

"folder and search options"
uncheck "hide file extensions for known file types".

If win 8.1/8, in the my documents window, click view tab and find the options button.

Shutdown abort CODE, remember to close it when shutting down.

 :start
    cls (clear command prompt window.. Optional)
    @echo Shutting Down Cancel   
    shutdown -a
    TIMEOUT 1
    goto start

The code is not resource intensive for modern computers and won't show up in virus scanners. - caus it's not a virus =D

edited Feb 16 '14 at 07:56

answered Feb 15 '14 at 08:33

PathToLife

1,146
9
18

1

it will keep a command window open.... he may accidently close it – MAKZ Feb 15 '14 at 12:43
17

This is a bad "solution". – Etheryte Feb 15 '14 at 16:34
4

Why `cls` if you have already `@echo off`? – Ruslan Feb 15 '14 at 18:01
it seems this a CPU killer!!!, `cls` in an infinite looooop :D – frogatto Feb 15 '14 at 20:50
@Ruslan just run the script with and without `cls` and see the difference – MAKZ Feb 15 '14 at 20:59
10

@MAKZ `shutdown -a > NUL` is more efficient than `shutdown -a` with `cls` – frogatto Feb 15 '14 at 21:04
If you do it this way, you just aren't getting any better than your colleague. – Amal Murali Feb 16 '14 at 04:48
2

Well it's here if anyone needs it =P CPU KILLER! =D – PathToLife Feb 16 '14 at 07:57
2

Along with this batch file, you should add a step where it checks for an existing pending shutdown initiated by said user, and initiate a shutdown on his machine with a 0 second wait and using the -f switch! – ErikE Feb 19 '14 at 01:04

score 16 · Answer 5 · answered Feb 15 '14 at 07:58

16

You can disable this by either disabling the Remote Registry service or removing all other access to shutdown

Disable Remote Registry:

sc config "RemoteRegistry" start= disabled

Shutdown location:

C:\Windows\System32\shutdown.exe

Warnings:

Removing access to shutdown.exe will result in some unexpected results when doing any system tasks which involve resets ect...

As for Remote Registry:

Disabling the RemoteRegistry service will break most patch management solutions including the Software Update Service and Windows Automated Update. If you disable this service, you will have to perform patch management manually

-Brian Groth's Life at Microsoft

answered Feb 15 '14 at 07:58

50-3

3,939
4
21
28

1

Uh ... in this scenario, the other user is running the copy of `shutdown.exe` on their own machine, not the one on the machine being targeted. So deleting your copy really isn't going to help. – Harry Johnston Feb 17 '14 at 23:03
@HarryJohnston If you remove your colleague's access to shutdown it work – 50-3 Feb 17 '14 at 23:06
... and what's supposed to stop them from downloading another copy, or any program with similar functionality? – Harry Johnston Feb 17 '14 at 23:08
What's stopping you from walking over to his desk and flipping the AC/DC switch? there is no way of 100% stopping this behaviour – 50-3 Feb 17 '14 at 23:50
4

No, but this option seems particularly ineffective to me. And if you consider the big picture, messing with the other guys computer probably isn't a good idea, as it's only going to escalate things, and it makes you look bad if and when management get involved. – Harry Johnston Feb 18 '14 at 00:01
I agree this is ineffective as technical solutions to social problems rarely work that well. – 50-3 Feb 18 '14 at 00:12

score 12 · Answer 6 · edited Jun 12 '20 at 13:48

12

From TechNet:

In order to use this feature, the Remote Registry service must be enabled on the remote computer. See Enable the Remote Registry Service for more information.

Access to the Remote Registry or membership in the Administrators group on the remote computer is the minimum required to complete this procedure.

edited Jun 12 '20 at 13:48

Community

1

answered Feb 15 '14 at 07:37

cobbbob

121
2

score 11 · Answer 7 · answered Feb 16 '14 at 20:47

11

You could add the following into a file, say, C:\kill-shutdown.ps1, then put the file into the group policy: Local Computer Policy>Computer Configuration>Windows>Settings>Scripts (Startup/Shutdown)>Shutdown

if ((test-path C:\allow-shutdown.txt) -ne $True) { shutdown -a }

Then, if C:\allow-shutdown.txt doesn't exist, it will abort ALL shutdowns.

answered Feb 16 '14 at 20:47

Yet Another User

271
3
11

2

Probably more efficient than the looping batch file. Sadly needs admin privileges – Yet Another User Feb 16 '14 at 20:48

score 10 · Answer 8 · answered Feb 15 '14 at 08:38

Remove him from the ipc$ share of your computer:

Open Computer Management.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree, click System Tools, click Shared Folders, and then click Shares.
In the details pane, right-click the shared folder, and then click Properties.
On the Share Permissions tab, set the permissions you want:
Add him as user with no rights.

My colleague often shuts down my machine through the LAN - how do I prevent it?

8 Answers8

Warnings:

Linked

Related