With the increased popularity of internet access, more and more computer systems
are being connected to the Internet with little or no system security. Most
commonly the computer's owner fails to create a password for the Administrator's
account. This makes it very easy for novice hackers ("script
") to gain unauthorized access to a machine. DameWare Development
products have become attractive tools to these so called "script kiddies"
because the software simplifies remote access to machines where the Username &
Password are already known.
Although the DameWare NT Utilities (DNTU) and DameWare Mini Remote Control (DMRC)
applications are designed to assist Network Administrators in easily
managing remote computers across Local Area Network (LAN) and/or Wide Area
Network (WAN) environments, it is unfortunate that the software is sometimes
misused in a manner for which it was not intended. However, this type of
unauthorized network access to a machine can be accomplished just as easily by
using any other network application, including several that are incorporated
within the Operating System. The DNTU and DMRC
applications rely heavily on
the Operating System's built-in security. It
is important to note that the DNTU and/or DMRC Client Agent Services cannot be installed on a computer unless the person
installing the software has already gained Administrative access privileges to
the machine. This implies that someone has explicit knowledge of one or more
Administrative User ID's & passwords (i.e. Administrator, etc.).
rights are required to install the DNTU and/or DMRC Client Agent Services (or
any other service) on a Microsoft Windows NT / 2000 / XP / Vista system.
If the DNTU and/or DMRC Client Agent Services have been installed without permission,
it is likely one or more of the Administrative passwords are blank, or an unauthorized
person knows one of the Administrative passwords.
The information below will explain how to remove the DMRC Client Agent Service and/or
the DNTU Client Agent Service, however, it will not
resolve all security issues.
Therefore it is important to determine the "root
cause" of the issue.
If DameWare software can be installed on a machine without permission, someone has
explicit knowledge of an Administrative UserID & Password (i.e. Administrator,
etc.). The fact that an unauthorized person has explicit knowledge of an Administrator
UserID & password also implies that other software can be installed without
permission. Once again, a computer system's
security has to be compromised before the DMRC or DNTU Service can be installed without permission. It is
highly recommended that the root cause of the intrusion be investigated in addition
to simply removing the DMRC or DNTU Service.
If the computer is in a corporate environment, please contact the network
support staff to verify the validity of the program installation. If the software
has been installed without consent, please follow the
instructions below on how to remove the Client Agent Services. Also included in this article is information
on how to possibly discover who installed the unwanted software as well as suggestions
on how to improve a machine's security.
How to remove the DMRC and/or DNTU Client Agent
Please note that if the DWRCS.exe and/or DNTUS26.exe files are not located in
the system32 folder, search for them and perform the following steps
from that folder instead of the system32 folder.
- Go to a command prompt (usually Start / Programs / Accessories /
- Type cd %systemroot%\system32 and press Enter.
- Type DWRCS.exe -remove and press Enter.
Type DNTUS26.exe -remove and press Enter.
After the service removal, the following files can be deleted: (This
may require a re-boot before deleting. It is also not required to delete the files, because
the Service was removed in the previous step).
DWRCSET.DLL (v 3.6x and later)
DWRCSHELL.DLL (v 3.6x and later)
DWRCST.EXE (v4.4 and later)
If the DWRCShell.dll cannot be deleted, it is likely the Windows
Explorer Shell has already loaded it.
Reboot the machine.
Click on the Start button and select run.
Type CMD and press ENTER.
Once the DOS prompt is visible, type: CD %systemroot%\system32 and press Enter.
Now delete the DWRCShell.dll file.
How to possibly discover who installed the software:
Please note that the account (Username) used to install the Client Agent
Service must have Administrative rights. Since an Administrator has full rights,
and can do anything that he or she wants to do on the machine, there is no guarantee
that any traces of the access intrusion will be found. Here are a few possible
methods of discovering how an unauthorized person accessed the machine.
Check the Application Event Log for DWMRCS or DNTUS26 entries for details about
the account used to install / access the machine using the DMRC or DNTU program. The DMRC will also attempt to log
additional information about the remote computer that was used to access the
The following is sample information of a DMRC event log entry:
- Date: 01/21/03
Date that the machine was accessed with the
- Computer Name:
Name of the remote computer that was used to
access this machine
- User ID: John
Remote machine's currently active UserID
during the DMRC connection
- Logon As ID:
User Name used to access this machine with DMRC
Account domain used with the "Logon As ID:"
- OS Product ID:
Remote machine's MS Windows Operating System
- OS Registered
Owner: John Doe
Remote machine's MS Windows registered owner's name
- OS Registered
Remote machine's MS Windows registered owner's company
- Host Name from
Remote machine's Host Name (reported from that
- IP Address(s) from
Remote machine's IP address (reported from
- Host: IP Address:
Remote machine's IP address (as seen by this Computer)
Type: NT Challenge/Response
Type of authentication used to access this
- Access Check:
Access privileges of Logon As ID: Account
Consider enabling Security Audit Policy logging to monitor any attempted
access to a machine. If the Security Audit Policy is enabled, the Security Event
Log can display all logon attempts made to a machine. Also, if the
Audit Policy is enabled and there is an issue with the Event Logs being deleted, the Security Audit Policy will record the account name used to delete the
Suggestions on how to improve a machine's
Please note that the suggestions here are not guaranteed to cover every
aspect of securing a computer and will only help in the most common
and simplest areas of computer security. It is the responsibility of the owner
of the computer to take every possible measure to ensure that the machine is
secured from unwarranted network access.
Consider changing all administrative account passwords and regularly check for new unwanted user accounts created on the machine.
Consider implementing a firewall for all internet access points. The following
TCP ports should be blocked in order to thwart unwanted service installations.
To block NetBIOS over TCP/IP:
UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)
To block Direct Hosting over TCP/IP (Active Directory):
TCP port 445 (DNS Direct Hosting).
For additional methods of analyzing security, check the
Microsoft Baseline Security Analyzer (MBSA)
Gibson Resource Corporation
3 steps to help ensure your PC is protected