Hack 76 Find Computers with Automatic logon Enabled


Having automatic logon enabled on a computer
can be a security risk. Here's a quick way to find
out which machines on your network have automatic logon enabled.
While enabling automatic logon
[Hack #4] in Chapter 1 can be
useful in certain scenarios, such as a test network, it can also be a
security risk, especially if it is enabled on a computer without the
administrator's knowledge. Here is a quick and dirty
way to locate all machines that have automatic logon enabled in their
Registry.
You'll need the following tools:
The regfind.exe utility, which is
available
from the Windows NT/2000 resource kits.
A list of machines to search, which can be obtained in many different
ways (including an SMS report, server manager, etc.). The list should
be a plain text file named serverlist.txt in the
following format:
server1
server2
server3
server4
etc...
A user account that has administrative rights to the Registry on the
machines being queried. Typically, a domain administrator account
will work just fine.
Create a batch file that will use the provided list and kick off
regfind. For this we will use the
FOR DOS command (all on one linetext is
wrapped here to fit the constraints of the page):
for /F %%A in (serverlist.txt) do (regfind.exe -m \\%%A -p "hkey_local_machine\
softwaremicrosoft\windows nt\currentversion\
winlogon" -n "Autoadminlogon" >results.txt)
You can see that we are simply parsing the serverlist.txt
file for each server name, then instructing
regfind to locate that
Registry key. There are two caveats, though. First, the results can
be hard to read while the search is going on. It is recommended that
you pipe the results to a text file (the preceding example does
this). Second, regfind is case-sensitive. This can
make the search a bit longer, but it's still fairly
easy. Instead of just a one-line batch file, you simply have a few
more (almost identical) lines. A larger sample of the completed batch
file looks something like this (again, all on one linebeware
of line wrap):
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"Autoadminlogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"AutoadminLogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"AutoAdminlogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"AutoAdminLogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"autoAdminlogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"autoadminlogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"autoAdminLogon" >results.txt)
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
-p "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" -n
"autoadminLogon" >results.txt)
Using this method, you can scan a select list of workstations/servers
for this key fairly quickly.
Hacking the Hack
This procedure can easily be modified to find out other Registry keys
as well, simply by changing the key name to search for. Enjoy!
Donnie Taylor