... until the collector arrives ...

This "blog" is really just a scratchpad of mine. There is not much of general interest here. Most of the content is scribbled down "live" as I discover things I want to remember. I rarely go back to correct mistakes in older entries. You have been warned :)

2016-08-15

Windows RDP vs. Password Changes

On Windows, there is an obscure security policy that prohibits changing one's password for the first time through Remote Desktop. Normally, one can type CTRL-ALT-DEL to bring up a menu that, among other things, allows a password change. When logged in remotely using RDP, the key chord is CTRL-ALT-END. However, Windows can detect this situation, and if the very first password change is attempted after using CTRL-ALT-END then it will be rejected as "access denied". There is a work-around, though:

  1. Bring up the onscreen keyboard (OSK.EXE).
  2. Type CTRL-ALT using the regular keyboard.
  3. Press DEL on the onscreen keyboard.
  4. The password change function will now operate normally (i.e. no "access denied").

This is helpful on virtual machines where remote access is the only possibility. The purpose of this strange security policy remains unclear.

Windows Event Logs: Command-line Access

The following Windows command will extract events from the Security log on the machine somehost provided those events have the ID 4624 (login) and are for the user someuser:

wevtutil ^
  query-events ^
  /r:somehost ^
  Security ^
  /q:"Event[System[EventID=4624] and EventData[Data[@Name='TargetUserName']='someuser']]"
The query syntax is described as being XPath that operates upon the XML representation of the events. Beware that it is a actually weird subset of XPath that does not recognize ., .., /, or //. Also, the generated XML results are free-standing fragments for each event (i.e. not wrapped by a parent element and thus not well-formed XML).

Blog Archive