Offer Remote Assistance in Windows XP Professional
I’ve spent a few hours this morning investigating Remote Assistance in Windows XP Professional. At first glance it looks like a potential VNC killer for the enterprise. Unfortunately, if you don’t look closely enough you’ll quickly dismiss it, most likely by seeing these initial limitations.
- It requires the user to know how to ask for Remote Assistance. Explaining to each user how to open Help Center, click Ask for remote assistance, type in the email address of the person they want to ask for assistance and set limitations such as validity periods is likely to take more time than actually fixing the problem. – Not good.
- Once the user has sent the invitation and the recipient has opened the attachment, the user is prompted to allow the connection to their machine. – Once again, a user being security conscious will likely click No, or worse yet, call the IT department to check that the message is kosher. Two things here; the user might just click No, making a hash of the whole process or they’ll create another support request to check that the message on their screen is OK. Bad, bad, bad.
- Once you’ve managed to connect you have to again ask if you’re allowed to take control of the user’s machine. Again, the user could click No and it slows the process of giving assistance.
These are all viable reasons for ignoring Remote Assistance for consideration in the Enterprise but, little did I know before I started looking under the hood, you can also offer assistance to users. Great! That scratches out the first point but doesn’t alleviate the second two. The downside to this “fix” for the first point is that you’ve got some work to do with Group Policy before you can implement this.
You’ll need to implement a policy, either directly on the target machines or using Active Directory Users & Computers. (GPMC is a better idea if you have it).
Drill down to: Computer Configuration > Administrative Templates > System > Remote Assistance and make the relevant changes in there. Microsoft’s Knowledge Base details all the technical points in this article No. 301527. The article seems to be targeted more at single systems rather than an enterprise rollout. One important note from the article suggests extreme caution due to the difficulty in verifying domain accounts and groups given authority to Offer Remote Assistance.
OK great…. but how the hell do I Offer Remote Assistance? Again, Microsoft don’t let us down and have this article No. 308013 on the subject.
There is a quicker way to get to the Offer Remote Assistance Screen though. Copy the following in to the Run dialog box and click OK.
hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,
C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm
Right, we’ve implemented our policy and we now know how to offer assistance. Do I HAVE to get the user to accept my connection request AND accept my request to take control of their desktop?
A lot of people would have answered: “Yes, you do!”
The good news is that the answer is: “No, you don’t!”
I’m sure you know that there’s bad news coming from this so I’m not going to say it. Needless to say, get your best HTML editor out, we’re about to go hacking!
The dialog boxes that ask the user for permission to take control of your computer are nothing more than HTML pages with some JScript (Microsoft’s implementation/interpretation of JavaScript) added to control buttons and hold ActiveXObjects. As such, they can be edited. I’m going to point out that because we can edit the HTML and JScript, it also means we can break it so BE CAREFUL! Take backup copies of any files before you edit them.
The first hurdle is automating the acceptance of the offer in the first place. If the user refuses the offer, then we’re wasting our time or we’ve got to spend more of it (time) by phoning them up and telling them to accept it. On the target system, locate the following file and open it up in your HTML editor:
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
Notepad is perfectly sufficient but I’m going to be referring to line numbers so something a little more advanced might be a good idea.
At line 158 where it says:
btnDecline.focus();
Add another line below that and type in the following:
DoAccept();
So that lines 158 and 159 look like this:
btnDecline.focus();
DoAccept();
You can test this now if you wish by connecting to the target machine and offering assistance. Remember that the target machine MUST have the relevant policy settings in place before this will work at all! Making that change should now allow you to connect to the target machine and automatically be accepted but….
…initially you are placed in to Screen View Only which kind of makes it a little difficult to actually assist the user unless you’re on the end of a phone or typing away like a lunatic in the rather useful but watered-down messaging client provided by Remote Assistance. Fortunately for us we can take control AND automatically be accepted by making a few more edits to another HTML & JScript file buried a little further in the file system.
Open up this file:
C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm
from the target computer in your favourite HTML editor and look for line 44, Change that line to look like the following
Now that we have made this alteration, whenever we click “Take Control”, we are automatically given full control of the user’s computer, without having to ask them for permission! The box does pop up but because it gets its answer so quickly, the user is only likely to see a quick flash. Obviously this doesn’t stop the user from disconnecting you. A quick flick of the escape button will have you disconnected in no time but that doesn’t mean you can’t take control again!
For network admins looking to implement the changes I have spoken about, please be aware that if you make changes to the two files, this affects all remote assistance connections to the computer that you changed the files on. Fortunately Microsoft did give us some control over who can initiate unsolicited remote assistance connections so we’re safe from initiated attacks. (I use the word “safe” cautiously of course!)
The problems begin if a malicious person intercepts a remote assistance request (initiated from the user through Help and Support Center), should they respond to it, they will automatically be given both access AND control (if they request it) of the hapless user’s machine. This is obviously a major security hole so I would suggest that you use your own scripting prowess to write a VBSCript which only alters the files when you want to connect and changes them back once you’ve done.
I would envisage it working like this:
See if the machine is available on the network (ping?), connect to the target machine, make backups of the target files, alter the target files, intitiate a connection (and have it automatically accepted). Once finished and disconnected, replace the altered files with the backed up files.
Any questions please let me know. If anyone fancies having a pop at the VBScript I’ve suggested, please feel free to share your results here!
– Lewis
I made a start (that means I’ve not finished) on the connection script.
So far it checks for the machine on the network, connects to it, backs up the existing files, edits the originals, opens offer remote assistance and bobs yer uncle… importantly it doesn’t change the changes back so don’t say I didn’t warn you!
Here you go:
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set oSh = CreateObject("WScript.Shell")
Set oFs = CreateObject("Scripting.FileSystemObject")
sComputerName = InputBox ("Type the computer name of the user you wish to offer assistance to...", "Offer Assistance")
sTargetPath = "\C$\WINDOWS\pchealth\helpctr\System\Remote~1\"
If sComputerName = "" Then
oSh.Popup "No name entered.", 2, "Warning", 0 + 4096
WScript.Quit
End If
If Ping(sComputerName) = False Then
oSh.Popup UCase(sComputerName) & " is not responding to pings." & vbLf & "Ensure you have typed the name correctly.", 0, "Error", 0 + 48 + 4096
WScript.Quit
Else
' Make backups of files being edited...
oFs.CopyFile "\\" & sComputerName & sTargetPath & "helpeeaccept.htm", _
"\\" & sComputerName & sTargetPath & "helpeeaccept.htm.bak", True
oFs.CopyFile "\\" & sComputerName & sTargetPath & "Interaction\Server\TakeControlMsgs.htm", _
"\\" & sComputerName & sTargetPath & "Interaction\Server\TakeControlMsgs.htm.bak", True
Set oAccessFileBak = oFs.OpenTextFile _
("\\" & sComputerName & sTargetPath & "helpeeaccept.htm.bak", ForReading)
Set oAccessFile = oFs.OpenTextFile _
("\\" & sComputerName & sTargetPath & "helpeeaccept.htm", ForWriting, True)
Set oTakeControlFileBak = oFs.OpenTextFile _
("\\" & sComputerName & sTargetPath & "Interaction\Server\TakeControlMsgs.htm.bak", ForReading)
Set oTakeControlFile = oFs.OpenTextFile _
("\\" & sComputerName & sTargetPath & "Interaction\Server\TakeControlMsgs.htm", ForWriting)
' Edit the access file to auto accept assistance offers
i = 0
While Not oAccessFileBak.AtEndOfStream
sLine = oAccessFileBak.ReadLine
If i = 158 Then
oAccessFile.WriteLine("DoAccept(); // This line was added by an automation script." & vbLf & sLine)
Else
oAccessFile.WriteLine(sLine)
End If
i = i + 1
Wend
' Edit the take control file to auto accept take control requests.
")i = 0
While Not oTakeControlFileBak.AtEndOfStream
sLine = oTakeControlFileBak.ReadLine
If i = 43 Then
oTakeControlFile.WriteLine _
("
Else
oTakeControlFile.WriteLine(sLine)
End If
i = i + 1
Wend
' oSh.Run "hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm", 3, False
' WScript.Sleep 2000
'
' oSh.AppActivate "Help and Support Center"
'
' oSh.SendKeys sComputerName
' WScript.Sleep 500
' oSh.SendKeys "{TAB}{ENTER}"
End If
Function Ping(strTarget)
Set objWMIPinger = GetObject("winmgmts:\\.\root\cimv2")
Set objWMIPingStatus = objWMIPinger.ExecQuery("Select * from Win32_PingStatus where Address='" & strTarget & "'")
For Each oPing In objWMIPingStatus
If IsNull(oPing.StatusCode) Or oPing.StatusCode <> 0 Then
Ping = False
Else
Ping = True
End If
Next
End Function
Did you complete this script? Please post it if you did.
Thanks,
Doug
Hi Doug, I’m afraid I didn’t finish it. Though a usable idea, it didn’t warrant the time spending on it to complete the script. Sorry.
Hello, greate article, but, i will be complaing about taking control of clients machine. Especialy in enterprise enviroment, i’ll be aware of it. I will highly recomand to left some user interaction, at least accepting the initial request. If you rip of this functionaly “security guys” can blame you about spying on customers/users. In other hand, there is realy no need to conform of overiding control of targeted machine, especialy when user can in any time cancel the connection by pressing ESC.
Hello,
U may find useful this article: http://msdn2.microsoft.com/en-us/library/ms811079.aspx
Compleate description of how to make appliaction that work with Remote Help
Very useful. One more thing, do you know how to send a ctrl-alt-del so I can login to the users machine remotely even if he is not there?
Hi Josh, I am not aware of there being any facility to do this for a machine that isn’t currently logged on. Sorry.
I’ve been thinking of doing this, so I’ll probably modify Doug’s code and release something in the near term.
Upon pondering the issue of writing the entires to the file, why not just back up the whole html file and write a known good file to the remote system? Without looking into this in-depth at the moment, I can’t see any reason why not to do that (the files seem small enough), instead of writing a few lines here and there. Unless someone can give me a good reason?
I got hold of Modified RA files that someone else created. Thanks, now I know how to create my own modified remote assistance files.
Here are two working scripts that copy modified files to a remote machine and initiates a remote assistance session and then removes those files. http://www.visualbasicscript.com/m_50614/tm.htm
Lewis, your post inspired me to create what I believe is an excellent remote assistance solution that gets about as close to VNC as possible. Have a look:
http://dgrundel.wordpress.com/2007/10/04/unsolicited-remote-assistance/
I’m new to this whole blogging thing, so give me a break on the posted code. 😛
I’ve taken the code that you and Daniel have put together and made it available as a download here:
http://www.vbshf.com/vbshf/forum/forums/thread-view.asp?tid=323&start=1&posts=1
This will allow you to enter a computer name and then connect to a remote computer (pending it is not logged out) and open up a remote assistance connection, allowing you to take control with no user intervention on the remote end.
Thanks again to both of you for your great work!
Rob
Good stuff this Rob. Thanks for the credit!
Hello, thanks to the OP 🙂
Josh Goldberg you have already a tool to login when a user is not around. it is called remote desktop.
Rob, your link is broken. I would love to take a look if you could update the link.
Thanks
Found this post through Google, very useful. I was wondering though if the same thing (no permission dialogs) could be achieved in Windows 7 and if anyone had tried messing with that at any point. Thanks.
Lewis, you might want to revisit this after the KB2675157 and KB2653956 MSSecurity patches lay into your system. On first blush, it looks like they have modified the remote code execution to the point that this will no longer launch as unsolicited. Laid the patches into my XPSP3 station today, and it effectively killed my unsolicited support. If you come up with a fix, I’d sure appreciate it, as i live and breathe URA in our intranet. Thanks! Mike I.
Hi Mike, seems a shame that they’ve killed it after such a long time (it was six years ago I posted this hack) but I have to be honest, the only way they could kill it is by signing the code and refusing to run it if the code signing certificate doesn’t validate.
Have you checked that the piece of JavaScript added to the HTML file wasn’t removed and tried adding it back in again?