Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Prevent Windows shutdown after license expire
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
Prevent Windows shutdown after license expire

Issue

After Windows license expires, you will see a similar message as shown below and then VM will auto shutdown every hour.

Investigation

As always, I started my investigation from Event logs. Since we are going to troubleshoot shutdowns, we need to filter messages in logs that are related to restarts. Easiest way to do so is to filter by respective Event Ids. In this case I chose to filter logs by following event ids : 41, 1074, 6006, 6008 as shown below :

A Brief explanation of Event Ids

  • Event ID 41: The system rebooted without cleanly shutting down first. This error occurs when the system stopped responding, crashed, or lost power unexpectedly.
  • Event ID 1074: Logged when an app (such as Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.
  • Event ID 6006: Logged as a clean shutdown. It gives the message, “The Event log service was stopped.
  • Event ID 6008: Logged as a dirty shutdown. It gives the message, “The previous system shutdown at time on date was unexpected
After applying the filters you will see list of events corresponding to event ids.
Now that we have filtered the events, i decided to look into events that occurred around the time VM rebooted which was around 9:50am
In the General section of the above came across below information :
The process C:\Windows\system32\wlms\wlms.exe (TEST2) has initiated the shutdown of computer TEST2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Planned)
Reason Code: 0x80000000
From the above message it was clear that wlms.exe initiated the reboot.
Next, I opened up task manager and looked for wlms.exe, on further investigation wlms.exe took me straight to WLMS service. WLMS stands for Windows License Monitoring Service and it is installed by default on all Windows Evaluation versions.

How to stop shutdown every hour

Lets take a closer look at WLMS service
Even though I am logged in with admin account, I do not have access to disable this service . To disable this services please follow below steps :
  1. 1.
    Download PsExec tools from Microsoft site here​
  2. 2.
    After downloading extract the tool in a folder
  3. 3.
    open cmd and Run as administrator
  4. 4.
    cd to the folder path
  5. 5.
    execute psexec -i -s cmd.exe
  6. 6.
    This will open another cmd prompt as shown below :
7. Now type whoami to confirm user as shown below:
8. Type services.msc as shown below :
9. This will open services and now you can navigate to Windows License Monitoring Service and can disable it
10. Restart the VM
​

Sources

How to stop Windows Server auto-shutdown every hour after license expire - Volatility | Memory Forensics | Malware| DIGITAL IT SKILLS
Volatility | Memory Forensics | Malware| DIGITAL IT SKILLS - Skills that matter
Previous
Resources
Next - Mobile
Tools
Last modified 1mo ago
Copy link
Outline
Issue
Investigation
A Brief explanation of Event Ids
How to stop shutdown every hour
Sources