This might sound weird. My colleague and I were working on a Windows machine. He frequently shuts it down through the LAN.
He usually follows these steps:
shutdown -i.
Unfortunately, I cannot disable remote access to my computer. Is there a way to prevent this?
You are seeking technical solutions to a social problem and you're trying to address the symptoms instead of the underlying cause. This runs the risk of failure if he finds some other way of shutting down your machine.
Talk to your friend and remind him that you're not pals messing about at university, any more: you're professionals being paid to do a job. His behaviour is completely unacceptable in the workplace. He is deliberately stopping you from doing your job which, ultimately, is putting your job at risk. What happens when your boss calls you in to explain your poor performance? Do you accept the blame and get yourself fired? Or do you blame your friend and get him fired? Friends don't put friends in that situation.
Tell your friend that he needs to stop. Right now. Period. If he doesn't, you're going to have to talk to management.
Run gpedit.msc and try disabling the option as shown below. Restart your PC to see if it works:
shutdown.exe to shut down the OPs machine. This only works because shutdown.exe uses the colleague's network credentials to log into the OPs machine. So the colleague is logged in.
Commented
Feb 18, 2014 at 19:51
The policy you want to change is in
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment
Locate the policy named "Force shutdown from a remote system." By default, this policy has a value of Administrators. Just edit it to be an empty list, or put your friendly trusted IT person in there instead.
A note about "Shutdown: Allow system to be shut down without having to log on"
This policy applies to local shutdowns only. That is, it controls whether someone present at the computer can shut it down without having to log on first. By default, this policy is Enabled on workstations, and you can see the shutdown button in the lower right corner of the Windows logon screen.
If you set this policy to Disabled, you will no longer see the shutdown button on the logon screen. A user would have to log on to the computer to shut it down. This is typically how servers are setup.
This policy does nothing to prevent a remote shutdown. You can try it yourself on a system that you can shutdown remotely. Set this policy to Disabled, and you will still be able to shut down that system.
A note about the Remote Registry service
Disabling the Remote Registry service does not prevent remote shutdowns. Remote Registry only affects the ability of the Shutdown Event Tracker to record the reason for the shutdown. If the reason cannot be recorded, the shutdown still occurs.
psexec to run shutdown on the machine locally. The "deny access to this computer from the network" policy should block this class of attack, but may also prevent legitimate access as in the OPs situation.
Commented
Feb 17, 2014 at 23:02
This is a simple way to fix this problem without admin privileges.
But still.. Talk to your colleague man. I leave this with the community for any circumstances where disciplinary action is not readily available e.g internet cafe.
Put below code in a new text file. then change .txt extension to .bat
if you do not see the .txt extension go into:
If win 8.1/8, in the my documents window, click view tab and find the options button.
Shutdown abort CODE, remember to close it when shutting down.
:start
cls (clear command prompt window.. Optional)
@echo Shutting Down Cancel
shutdown -a
TIMEOUT 1
goto start
The code is not resource intensive for modern computers and won't show up in virus scanners. - caus it's not a virus =D
shutdown -a > NUL is more efficient than shutdown -a with cls
You can disable this by either disabling the Remote Registry service or removing all other access to shutdown
Disable Remote Registry:
sc config "RemoteRegistry" start= disabled
Shutdown location:
C:\Windows\System32\shutdown.exe
Removing access to shutdown.exe will result in some unexpected results when doing any system tasks which involve resets ect...
As for Remote Registry:
Disabling the RemoteRegistry service will break most patch management solutions including the Software Update Service and Windows Automated Update. If you disable this service, you will have to perform patch management manually
shutdown.exe on their own machine, not the one on the machine being targeted. So deleting your copy really isn't going to help.
Commented
Feb 17, 2014 at 23:03
From TechNet:
In order to use this feature, the Remote Registry service must be enabled on the remote computer. See Enable the Remote Registry Service for more information.
Access to the Remote Registry or membership in the Administrators group on the remote computer is the minimum required to complete this procedure.
You could add the following into a file, say, C:\kill-shutdown.ps1, then put the file into the group policy: Local Computer Policy>Computer Configuration>Windows>Settings>Scripts (Startup/Shutdown)>Shutdown
if ((test-path C:\allow-shutdown.txt) -ne $True) { shutdown -a }
Then, if C:\allow-shutdown.txt doesn't exist, it will abort ALL shutdowns.
Remove him from the ipc$ share of your computer:
