Spying on your boss made easy ... courtesy of Microsoft SCCM

Update 30.08.: A decision was made as to what to do about this issue. The SCCM client will be monitoring the registry keys, as a form of a watchdog service, and will report any machines where modifications are made to a group of administrators via mail.

Update 29.08.: Apparently "mstsc.exe" offers the same functionality, I was told. Add a DWORD called "shadow" under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" and set the value to "2". After that you should be able to use the following command: mstsc.exe /shadow:<session ID> /control /noConsentPrompt /v:<remote machine>

Like this the user will not even see a flickering mouse cursor. The only way to tell someone is watching you like this is by checking the task manager and looking for the RDP processes.

Ever wanted to know what your boss is doing all day long? Are you using Microsoft SCCM for operating system and software deployment and do you have local admin privileges on your boss' computer? Then you are in luck!

This basically is a direct continuation of the "Unusual Microsoft remote assistance slowdown" story and even ties into the "VNC Heisenbug" to a degree.

But from the start ...


The VNC Heisenbug

Update 16.07.: Apparently the VNC viewer also works when I copy the executable to a folder on the local system, rather than executing it from the desktop which is located on a network share. It will also work while on the desktop when I give the user full access to the entire home share (\\<server>\benutzer\home\). Giving him full access rights to just his own home directory (\\<server>\benutzer\home\<department>\<user>) results in the VNC viewer still failing with the "getaddinfo" error.

Two of our departments recently got a new system for their number ticket system. You press a button on a touch panel and get a ticket with a number on it. When that number is called, you proceed to the counter.

The company who delivered the new system pre-installed VNC (at this point I only knew it was *some-kind-of* VNC, later I found out it was a TightVNC server) on the machines responsible for displaying the button to request a new ticket and print the ticket, and the machines responsible for showing which numbers are up next.


Unusual Microsoft remote assistance slowdown

Back in March 2017 our department was getting increasing numbers of complaints about abnormally slow remote assistance connections ... but not from our users but from co-workers of the other IT sub-departments. We are using the Microsoft Windows Remote Assistance tool (msra.exe) for when we need to help a user with a problem.

And when I say "slow", I mean _slow_. The lag between input and output easily reached over 1 minute, which made working like that impossible.