Solved

Command Prompt opening when connecting to RemoteApp using .RDP file

Posted on 2016-10-14
16
168 Views
Last Modified: 2016-10-29
Hopefully someone can help with this one.  Server 2012 R2 with RDS.  When connecting internally or externally to the RemoteApp opens up the command prompt of the RemoteApp server just before launching the requested app.  This is a major security risk as you can imagine.  This only happens during the initial connection of RemoteApp and Desktop Connections.  You can close the RDP window, leaving the RADC connected, relaunch the RDP with no problems so it has to be the RADC connection in my mind.  I have checked the server for viruses, verified the RDP file connection string, re-published the RemoteApp, checked IIS for possible exploits, etc.  Any assistance will be greatly appreciated.

Thank you
0
Comment
Question by:hardintech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 24

Expert Comment

by:NVIT
ID: 41844413
Possibly your requested app is using a CMD /k which keeps the CMD window open, instead of CMD /c?
0
 

Author Comment

by:hardintech
ID: 41844419
Thanks for your response.  I don't see where CMD would come into play at all.  The RemoteApp is Quickbooks, and CMD is not published nor in the RDP connection settings.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 41853611
Can be a logon script that leaves a command window open or something in the users or servers "Run" key.
Does this happen for all users?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 41853742
Is it a .bat file launching QB?
0
 

Author Comment

by:hardintech
ID: 41853880
Hi Guys,
Thanks for the responses.  Yes it happens to all users, I've checked for all logon and startup locations.  The published app is the actual executable of the program.  Again, this only happens when they first get connected to the RemoteApp and Desktop Connections.  If they close the QB RemoteApp window, they stay connected to RemoteApp and Desktop Connections.  When they relaunch the RDP, and the QB RemoteApp comes up without the CMD window.  So, this has to be something with the initial connection to the RemoteApp and Desktop Connections.  

Thanks again
0
 
LVL 25

Expert Comment

by:Coralon
ID: 41854581
Have you checked the Usrlogon.cmd structure?  This is one of the most common sources of "random" command prompts.  https://www.experts-exchange.com/articles/9235/How-USRLOGON-CMD-processing-works.html.

If that is the case, you should be able to locate the call to the batch file/cmd file and replace it with an equivalent vbscript and eliminate the popup window.

Coralon
1
 

Author Comment

by:hardintech
ID: 41854597
That is a very good idea, and something I haven't checked.  I have gone through it, and the other referenced CMD scripts and am not seeing what would call a blank CMD window.  Maybe I am missing something.  This looks very standard to me.  You're thoughts?

@Echo Off

Call "%SystemRoot%\Application Compatibility Scripts\SetPaths.Cmd"
If "%_SETPATHS%" == "FAIL" Goto Done

Rem
Rem This is for those scripts that don't need the RootDrive.
Rem

If Not Exist "%SystemRoot%\System32\Usrlogn1.cmd" Goto cont0
Cd /d "%SystemRoot%\Application Compatibility Scripts\Logon"
Call "%SystemRoot%\System32\Usrlogn1.cmd"

:cont0

Rem
Rem Determine the user's home directory drive letter.  If this isn't
Rem set, exit.
Rem

Cd /d %SystemRoot%\"Application Compatibility Scripts"
Call RootDrv.Cmd
If "A%RootDrive%A" == "AA" End.Cmd

Rem
Rem Map the User's Home Directory to a Drive Letter
Rem

Net Use %RootDrive% /D >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
if ERRORLEVEL 1 goto SubstErr
goto AfterSubst
:SubstErr
Subst %RootDrive% /d >NUL: 2>&1
Subst %RootDrive% "%HomeDrive%%HomePath%"
:AfterSubst

Rem
Rem Invoke each Application Script.  Application Scripts are automatically
Rem added to UsrLogn2.Cmd when the Installation script is run.
Rem

If Not Exist %SystemRoot%\System32\UsrLogn2.Cmd Goto Cont1

Cd Logon
Call %SystemRoot%\System32\UsrLogn2.Cmd

:Cont1

:Done
0
 

Author Comment

by:hardintech
ID: 41854600
I also see this in the registry under AlternateShells:

cmd.exe /c "cd /d "%USERPROFILE%" & start cmd.exe /k runonce.exe /AlternateShellStartup"
0
 
LVL 25

Expert Comment

by:Coralon
ID: 41854831
That's 100% normal.. do you have a usrlogn1.cmd or usrlogn2.cmd in c:\windows\system32?

Coralon
0
 

Author Comment

by:hardintech
ID: 41857326
No we don't.  Just usrlogn.cmd
0
 
LVL 25

Expert Comment

by:Coralon
ID: 41857688
Ok, then it is definitely not one of those that is triggering the cmd prompt..
Since you aren't using the usrlogon structure, try removing it from the registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The AppSetup value will contain an entry for usrlogon.cmd - just delete that entry (it won't hurt anything since you aren't using it).  And then of course re-verify that the cmd prompt is still coming up at logon.

The next thing to do is look at your automatic running objects.. use SysInternals autoruns that will show you everything that is configured to automatically start.  Look for anything that is non-windows.. especially anything tied to QuickBooks.. its possible that something is running for QB that is configuring something for the user profile?  

Coralon
0
 

Author Comment

by:hardintech
ID: 41857709
Hi Coralon,

I have removed that entry and no change.  I also looked through the autoruns, and everything looks normal.  I did remove a few of the QB programs running at startup like sync manager, etc.  Still the same issue.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 500 total points
ID: 41857731
Ok.. then the next step is to set up ProcMon to record a full login session to catch everything that runs, and then start eliminating things piece by piece.  It will be long and tedious.. but there will be something in there that triggers that cmd prompt. :-\

Coralon
0
 

Author Comment

by:hardintech
ID: 41857735
You're right.  It's going to be something simple that I overlooked like a checkbox somewhere:)  Here is the task manager of a user as they login to the remoteapp.  You can end the Console Window Host, or the Windows Command Processor and the CMD window disappears.  I just can't find what's calling them.
Capture.JPG
0
 

Accepted Solution

by:
hardintech earned 0 total points
ID: 41857790
Looks like the server was exploited.  Following Coralon's recommendation, I went through and filtered the CMD.exe process in ProcMon and found the attached string.  After research, I found the exploit.  I deleted the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\sethc.exe key, logged off, and tested.  

Thank you all for your suggestions.
Capture2.JPG
0
 

Author Closing Comment

by:hardintech
ID: 41865068
Found the resolution with the help of an experts process.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question