Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Issue
  • Investigation
  • A Brief explanation of Event Ids
  • How to stop shutdown every hour

Was this helpful?

  1. Resources

Prevent Windows shutdown after license expire

PreviousWindows EventViewer Analysis | DFIRNextFirewall raw Logs

Last updated 2 years ago

Was this helpful?

Issue

After Windows license expires, you will see a similar message as shown below and then VM will auto shutdown every hour.

Investigation

As always, I started my investigation from Event logs. Since we are going to troubleshoot shutdowns, we need to filter messages in logs that are related to restarts. Easiest way to do so is to filter by respective Event Ids. In this case I chose to filter logs by following event ids : 41, 1074, 6006, 6008 as shown below :

A Brief explanation of Event Ids

  • Event ID 41: The system rebooted without cleanly shutting down first. This error occurs when the system stopped responding, crashed, or lost power unexpectedly.

  • Event ID 1074: Logged when an app (such as Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.

  • Event ID 6006: Logged as a clean shutdown. It gives the message, “The Event log service was stopped.

  • Event ID 6008: Logged as a dirty shutdown. It gives the message, “The previous system shutdown at time on date was unexpected

After applying the filters you will see list of events corresponding to event ids.

Now that we have filtered the events, i decided to look into events that occurred around the time VM rebooted which was around 9:50am

In the General section of the above came across below information :

The process C:\Windows\system32\wlms\wlms.exe (TEST2) has initiated the shutdown of computer TEST2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Planned)
Reason Code: 0x80000000

From the above message it was clear that wlms.exe initiated the reboot.

Next, I opened up task manager and looked for wlms.exe, on further investigation wlms.exe took me straight to WLMS service. WLMS stands for Windows License Monitoring Service and it is installed by default on all Windows Evaluation versions.

How to stop shutdown every hour

Lets take a closer look at WLMS service.

Even though I am logged in with admin account, I do not have access to disable this service . To disable this services please follow below steps :

  1. After downloading extract the tool in a folder

  2. open cmd and Run as administrator

  3. cd to the folder path

  4. execute psexec -i -s cmd.exe

  5. This will open another cmd prompt as shown below :

7. Now type whoami to confirm user as shown below:

8. Type services.msc as shown below :

9. This will open services and now you can navigate to Windows License Monitoring Service and can disable it

10. Restart the VM

Enjoy! :D

Download PsExec tools from Microsoft site

here