Solved

Command Prompt opening when connecting to RemoteApp using .RDP file

Posted on 2016-10-14
16
46 Views
Last Modified: 2016-10-29
Hopefully someone can help with this one.  Server 2012 R2 with RDS.  When connecting internally or externally to the RemoteApp opens up the command prompt of the RemoteApp server just before launching the requested app.  This is a major security risk as you can imagine.  This only happens during the initial connection of RemoteApp and Desktop Connections.  You can close the RDP window, leaving the RADC connected, relaunch the RDP with no problems so it has to be the RADC connection in my mind.  I have checked the server for viruses, verified the RDP file connection string, re-published the RemoteApp, checked IIS for possible exploits, etc.  Any assistance will be greatly appreciated.

Thank you
0
Comment
Question by:hardintech
16 Comments
 
LVL 23

Expert Comment

by:NVIT
Comment Utility
Possibly your requested app is using a CMD /k which keeps the CMD window open, instead of CMD /c?
0
 

Author Comment

by:hardintech
Comment Utility
Thanks for your response.  I don't see where CMD would come into play at all.  The RemoteApp is Quickbooks, and CMD is not published nor in the RDP connection settings.
0
 
LVL 28

Expert Comment

by:Michael Pfister
Comment Utility
Can be a logon script that leaves a command window open or something in the users or servers "Run" key.
Does this happen for all users?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Is it a .bat file launching QB?
0
 

Author Comment

by:hardintech
Comment Utility
Hi Guys,
Thanks for the responses.  Yes it happens to all users, I've checked for all logon and startup locations.  The published app is the actual executable of the program.  Again, this only happens when they first get connected to the RemoteApp and Desktop Connections.  If they close the QB RemoteApp window, they stay connected to RemoteApp and Desktop Connections.  When they relaunch the RDP, and the QB RemoteApp comes up without the CMD window.  So, this has to be something with the initial connection to the RemoteApp and Desktop Connections.  

Thanks again
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
Have you checked the Usrlogon.cmd structure?  This is one of the most common sources of "random" command prompts.  https://www.experts-exchange.com/articles/9235/How-USRLOGON-CMD-processing-works.html.

If that is the case, you should be able to locate the call to the batch file/cmd file and replace it with an equivalent vbscript and eliminate the popup window.

Coralon
1
 

Author Comment

by:hardintech
Comment Utility
That is a very good idea, and something I haven't checked.  I have gone through it, and the other referenced CMD scripts and am not seeing what would call a blank CMD window.  Maybe I am missing something.  This looks very standard to me.  You're thoughts?

@Echo Off

Call "%SystemRoot%\Application Compatibility Scripts\SetPaths.Cmd"
If "%_SETPATHS%" == "FAIL" Goto Done

Rem
Rem This is for those scripts that don't need the RootDrive.
Rem

If Not Exist "%SystemRoot%\System32\Usrlogn1.cmd" Goto cont0
Cd /d "%SystemRoot%\Application Compatibility Scripts\Logon"
Call "%SystemRoot%\System32\Usrlogn1.cmd"

:cont0

Rem
Rem Determine the user's home directory drive letter.  If this isn't
Rem set, exit.
Rem

Cd /d %SystemRoot%\"Application Compatibility Scripts"
Call RootDrv.Cmd
If "A%RootDrive%A" == "AA" End.Cmd

Rem
Rem Map the User's Home Directory to a Drive Letter
Rem

Net Use %RootDrive% /D >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
if ERRORLEVEL 1 goto SubstErr
goto AfterSubst
:SubstErr
Subst %RootDrive% /d >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
:AfterSubst

Rem
Rem Invoke each Application Script.  Application Scripts are automatically
Rem added to UsrLogn2.Cmd when the Installation script is run.
Rem

If Not Exist %SystemRoot%\System32\UsrLogn2.Cmd Goto Cont1

Cd Logon
Call %SystemRoot%\System32\UsrLogn2.Cmd

:Cont1

:Done
0
 

Author Comment

by:hardintech
Comment Utility
I also see this in the registry under AlternateShells:

cmd.exe /c "cd /d "%USERPROFILE%" & start cmd.exe /k runonce.exe /AlternateShellStartup"
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 23

Expert Comment

by:Coralon
Comment Utility
That's 100% normal.. do you have a usrlogn1.cmd or usrlogn2.cmd in c:\windows\system32?

Coralon
0
 

Author Comment

by:hardintech
Comment Utility
No we don't.  Just usrlogn.cmd
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
Ok, then it is definitely not one of those that is triggering the cmd prompt..
Since you aren't using the usrlogon structure, try removing it from the registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The AppSetup value will contain an entry for usrlogon.cmd - just delete that entry (it won't hurt anything since you aren't using it).  And then of course re-verify that the cmd prompt is still coming up at logon.

The next thing to do is look at your automatic running objects.. use SysInternals autoruns that will show you everything that is configured to automatically start.  Look for anything that is non-windows.. especially anything tied to QuickBooks.. its possible that something is running for QB that is configuring something for the user profile?  

Coralon
0
 

Author Comment

by:hardintech
Comment Utility
Hi Coralon,

I have removed that entry and no change.  I also looked through the autoruns, and everything looks normal.  I did remove a few of the QB programs running at startup like sync manager, etc.  Still the same issue.
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 500 total points
Comment Utility
Ok.. then the next step is to set up ProcMon to record a full login session to catch everything that runs, and then start eliminating things piece by piece.  It will be long and tedious.. but there will be something in there that triggers that cmd prompt. :-\

Coralon
0
 

Author Comment

by:hardintech
Comment Utility
You're right.  It's going to be something simple that I overlooked like a checkbox somewhere:)  Here is the task manager of a user as they login to the remoteapp.  You can end the Console Window Host, or the Windows Command Processor and the CMD window disappears.  I just can't find what's calling them.
Capture.JPG
0
 

Accepted Solution

by:
hardintech earned 0 total points
Comment Utility
Looks like the server was exploited.  Following Coralon's recommendation, I went through and filtered the CMD.exe process in ProcMon and found the attached string.  After research, I found the exploit.  I deleted the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\sethc.exe key, logged off, and tested.  

Thank you all for your suggestions.
Capture2.JPG
0
 

Author Closing Comment

by:hardintech
Comment Utility
Found the resolution with the help of an experts process.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now