New
#1
Weirdo 7 reset user/password by itself
Hi, I have a terminal installed at a hotel that somehow resets itself!
Its a Windows 7 PosReady embedded
Its a custom image-build thats deployed in hundreds of devices, maybe thousands around for years without issues and all from same image.
For some time ago, the staff called me and asked about password for windows.
(It has no password prompt at login at all...)
The windows image is build with a "administrator" account and auto-logon.
I suspect and found some data in the windows log that they had a power failure so two computers had entries with abnormal shutdown. But the XP version was OK, but this Win7 suddenly had logged out at next boot.
This is Background of Event A
1. Instead the suggested user at welcome/login screen was "user"
(administrator not even listed!)
2. no such password worked
3. So the Windows 7 machine could not boot in safe mode, last config or anything.
And because its a image no such local restoration partition exists. I couldnt do shit.
The login-screen just starred with the weird "user" and prompted for a password.
4. The machine did reply ping thou from LAN.
5. But could not browse it from computer2 through SMB catalog:
\\computer
\\computer\c$
6. I then did some attempts with the psexec from the xp-machine in the same network.
Maybe I didnt manage the tool but all sort of attempts failed:
psexec \\computer -u remote\administrator
All sort of commands was either not working , or not allowed.
7. But the xp-machine could run a payment application that runs on the machine (!).
the database (MYSQL) somehow worked, because the xp-machine is just a slave and connects to the master ip adress. And mysql allows this at port 1433
no luck. Maybe if I had some VNC_server running on the machine it could be intresting.
Like what is acctually running? telnet...but at this point I was so locked out.
Not even the powerful psexec.tool could alter it
8. Then I had to do the utilman_trick and no time for fooling around.
So I accessed cmd at the login screen, and typed
net users
net user administrator *
And got back in. A new password was set.
--------------------------- now a few months later, The same thing happend-------Event B
So I did utilman password_hack again.
This time I also had to choose another user, and type administrator + the password.
Login.
Go to control panel/users/del password.
But wtf is this?
Why does this happen?
How can I stop this from happen?
Is there any logfiles or traces?
Virus?
(it has a local AV, and its a pretty closed network)