Command Prompt opening when connecting to RemoteApp using .RDP file

Hopefully someone can help with this one.  Server 2012 R2 with RDS.  When connecting internally or externally to the RemoteApp opens up the command prompt of the RemoteApp server just before launching the requested app.  This is a major security risk as you can imagine.  This only happens during the initial connection of RemoteApp and Desktop Connections.  You can close the RDP window, leaving the RADC connected, relaunch the RDP with no problems so it has to be the RADC connection in my mind.  I have checked the server for viruses, verified the RDP file connection string, re-published the RemoteApp, checked IIS for possible exploits, etc.  Any assistance will be greatly appreciated.

Thank you
hardintechFOMAsked:
Who is Participating?
 
hardintechConnect With a Mentor FOMAuthor Commented:
Looks like the server was exploited.  Following Coralon's recommendation, I went through and filtered the CMD.exe process in ProcMon and found the attached string.  After research, I found the exploit.  I deleted the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\sethc.exe key, logged off, and tested.  

Thank you all for your suggestions.
Capture2.JPG
0
 
NVITCommented:
Possibly your requested app is using a CMD /k which keeps the CMD window open, instead of CMD /c?
0
 
hardintechFOMAuthor Commented:
Thanks for your response.  I don't see where CMD would come into play at all.  The RemoteApp is Quickbooks, and CMD is not published nor in the RDP connection settings.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Michael PfisterCommented:
Can be a logon script that leaves a command window open or something in the users or servers "Run" key.
Does this happen for all users?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Is it a .bat file launching QB?
0
 
hardintechFOMAuthor Commented:
Hi Guys,
Thanks for the responses.  Yes it happens to all users, I've checked for all logon and startup locations.  The published app is the actual executable of the program.  Again, this only happens when they first get connected to the RemoteApp and Desktop Connections.  If they close the QB RemoteApp window, they stay connected to RemoteApp and Desktop Connections.  When they relaunch the RDP, and the QB RemoteApp comes up without the CMD window.  So, this has to be something with the initial connection to the RemoteApp and Desktop Connections.  

Thanks again
0
 
CoralonCommented:
Have you checked the Usrlogon.cmd structure?  This is one of the most common sources of "random" command prompts.  https://www.experts-exchange.com/articles/9235/How-USRLOGON-CMD-processing-works.html.

If that is the case, you should be able to locate the call to the batch file/cmd file and replace it with an equivalent vbscript and eliminate the popup window.

Coralon
1
 
hardintechFOMAuthor Commented:
That is a very good idea, and something I haven't checked.  I have gone through it, and the other referenced CMD scripts and am not seeing what would call a blank CMD window.  Maybe I am missing something.  This looks very standard to me.  You're thoughts?

@Echo Off

Call "%SystemRoot%\Application Compatibility Scripts\SetPaths.Cmd"
If "%_SETPATHS%" == "FAIL" Goto Done

Rem
Rem This is for those scripts that don't need the RootDrive.
Rem

If Not Exist "%SystemRoot%\System32\Usrlogn1.cmd" Goto cont0
Cd /d "%SystemRoot%\Application Compatibility Scripts\Logon"
Call "%SystemRoot%\System32\Usrlogn1.cmd"

:cont0

Rem
Rem Determine the user's home directory drive letter.  If this isn't
Rem set, exit.
Rem

Cd /d %SystemRoot%\"Application Compatibility Scripts"
Call RootDrv.Cmd
If "A%RootDrive%A" == "AA" End.Cmd

Rem
Rem Map the User's Home Directory to a Drive Letter
Rem

Net Use %RootDrive% /D >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
if ERRORLEVEL 1 goto SubstErr
goto AfterSubst
:SubstErr
Subst %RootDrive% /d >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
:AfterSubst

Rem
Rem Invoke each Application Script.  Application Scripts are automatically
Rem added to UsrLogn2.Cmd when the Installation script is run.
Rem

If Not Exist %SystemRoot%\System32\UsrLogn2.Cmd Goto Cont1

Cd Logon
Call %SystemRoot%\System32\UsrLogn2.Cmd

:Cont1

:Done
0
 
hardintechFOMAuthor Commented:
I also see this in the registry under AlternateShells:

cmd.exe /c "cd /d "%USERPROFILE%" & start cmd.exe /k runonce.exe /AlternateShellStartup"
0
 
CoralonCommented:
That's 100% normal.. do you have a usrlogn1.cmd or usrlogn2.cmd in c:\windows\system32?

Coralon
0
 
hardintechFOMAuthor Commented:
No we don't.  Just usrlogn.cmd
0
 
CoralonCommented:
Ok, then it is definitely not one of those that is triggering the cmd prompt..
Since you aren't using the usrlogon structure, try removing it from the registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The AppSetup value will contain an entry for usrlogon.cmd - just delete that entry (it won't hurt anything since you aren't using it).  And then of course re-verify that the cmd prompt is still coming up at logon.

The next thing to do is look at your automatic running objects.. use SysInternals autoruns that will show you everything that is configured to automatically start.  Look for anything that is non-windows.. especially anything tied to QuickBooks.. its possible that something is running for QB that is configuring something for the user profile?  

Coralon
0
 
hardintechFOMAuthor Commented:
Hi Coralon,

I have removed that entry and no change.  I also looked through the autoruns, and everything looks normal.  I did remove a few of the QB programs running at startup like sync manager, etc.  Still the same issue.
0
 
CoralonConnect With a Mentor Commented:
Ok.. then the next step is to set up ProcMon to record a full login session to catch everything that runs, and then start eliminating things piece by piece.  It will be long and tedious.. but there will be something in there that triggers that cmd prompt. :-\

Coralon
0
 
hardintechFOMAuthor Commented:
You're right.  It's going to be something simple that I overlooked like a checkbox somewhere:)  Here is the task manager of a user as they login to the remoteapp.  You can end the Console Window Host, or the Windows Command Processor and the CMD window disappears.  I just can't find what's calling them.
Capture.JPG
0
 
hardintechFOMAuthor Commented:
Found the resolution with the help of an experts process.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.