Connecting to the console of a customer without their password!

Have you ever had a need to provide assistance to a customer and needed to view what was on their console while they are not at their desk?

For example one of your customers receives an exception when they launch an application under their profile. You are unable to replicate the exception under your profile. The customer is away at lunch and you have permission to correct this problem. What could you do?

Note: I typically do not recommend this method as it could break the integrity of trust. Someone in the organization could say that you could access their account and performed actions that could violate a company policy. I am documenting this as it does exist and could be used as a last resort. If you do use this method, I would recommend that you communicate clearly and document your actions.

You do not know the password to their account and you do not want to change the password. What other options are there? Luckily, there is a way around this. It requires using PSExec from Sysinternals.

Launch command prompt as administrator and navigate to the directory where you have PsExec is saved.

Run the following command.

psexec.exe -sid cmd

A new command prompt window will open up. Lets launch task manager from the new windows

taskmgr

Once the task manager is open navigate to the users tab. On the users tab it will list the current logged on users. Right click and press connect on the profile that you want to connect to. This will connect and open their logged in session. You can now fix and investigate the problem while the customer is away from their computer.

If you try to connect to their profile without performing the steps above you will get a prompt asking for their password, as seen in the next image.

This is possible because the -sid parameter tells Windows to launch a new console as system and interactive. This is not necessarily a vulnerability because you need to have administrator rights to be able to do this.