How can I trace the IP of "Remote shutdown" source machine? RRS feed

  • Question

  • HI,

    I have enable shutdown event log in my XP machine however still I am not able to trace the IP of on of 15 XP work-group machines which is remotely shutting-down my machine.

    The command which might have been used is: shutdown /f /r /m \\<remote computer ip> /t: 0

    Can any one suggest me how trace that remote machine IP ?

    Or at least tell me which protocol or port shutdown.exe uses when it sends remote command.

    I have captured ProcMon, NetMon and Wire-Shark log, still I have no clue to start my investigation.

    Please help.

    Kuntal K. Basu Windows Server Performance Expert

    Friday, June 15, 2012 8:33 AM


  • Did a lot of research on that and able to find out the answer.

    On the target machine (victim) see event log 1074. That will give you the user name. Now we need to find out the IP address from where the command was executed.

    Now go to security logs. Go to the time when event id 1074 was created and search for event id 680, 576, 540 and 538 (with log on type 3).

    In case you have Wire-Shark log, you can find it out there.

    Monday, July 2, 2012 11:31 PM