Windows includes a built in program that captures screenshots and text descriptions of what a user is doing on their system. This program could be accessed remotely by a hacker. In this article we will see how to run the program from a remote shell using Metasploit.
Windows includes a great support program that you have probably never heard of called “Problem Steps Recorder” (psr.exe). Microsoft made this program to help troubleshooters see step-by-step what a user is doing. If a user is having a computer problem that they either can’t articulate well or tech support just can’t visualize the issue, all the support personnel needs to do is have the user run psr.exe.
When PSR runs it automatically begins capturing screen captures of everything that the user clicks on, it also keeps a running dialog of what the user is doing in a text log. When done, the data is saved into an HTML format and zipped so all the user needs to do is e-mail this to the tech support department.
I have honestly never heard of PSR before yesterday when Mark Burnett (@m8urnett) mentioned it on Twitter:
Creepy indeed, but I thought that if you could run it remotely, it would be a great tool for a penetration tester. Well, you can! Though running PSR as an attack tool isn’t a new idea. I did some searching and it is mentioned multiple times over the last several years in this manner. Pipefish even mentions using it with Metasploit back in this 2012 article (http://pipefish.me/tag/psr-exe/).
To use Steps Recorder normally, all you need to do is click the start button in Windows and type “psr” into the search box. Then click on “Steps Recorder”.
A small user interface opens up:
Just click “Start Record” to start. It then immediately begins grabbing screenshots. It displays a red globe around the pointer whenever a screenshot is taken. Then press “Stop Recording” when done. You will then be presented with a very impressive looking report of everything that you did. You then have the option of saving the report.
PSR can be run from the command prompt. Below is a listing of command switches from Microsoft :
psr.exe [/start |/stop][/output <fullfilepath>] [/sc (0|1)] [/maxsc <value>]
[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]
[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
[/stopevent <eventname>] [/maxlogsize <value>] [/recordpid <pid>]
/start Start Recording. (Outputpath flag SHOULD be specified)
/stop Stop Recording.
/sc Capture screenshots for recorded steps.
/maxsc Maximum number of recent screen captures.
/maxlogsize Maximum log file size (in MB) before wrapping occurs.
/gui Display control GUI.
/arcetl Include raw ETW file in archive output.
/arcxml Include MHT file in archive output.
/recordpid Record all actions associated with given PID.
/sketch Sketch UI if no screenshot was saved.
/slides Create slide show HTML pages.
/output Store output of record session in given path.
/stopevent Event to signal after output files are generated.
Using PSR remotely with Metasploit
Using the command line options, PSR works very nicely with Metasploit in a penetration testing scenario. I will start with an active remote Meterpreter session between a test Windows 7 system and Kali Linux. There are many ways that you could do this, but I simply made a short text file as seen below:
- psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
- Start-Sleep -s 20;
- psr.exe /stop;
The commands above start PSR, turns off that pesky Gui window that pops up when running and turns off the red pointer glow when recording pages. It then saves the file to the desktop.
The script waits 20 seconds and then stops recording.
I then encoded the command and ran it in a command shell:
After 20 seconds a new “cool.zip” file popped up on the Windows 7 desktop:
This file contained a complete step by step list of everything the user did during the 20 second window. At the top of the file are the screenshots:
And at the bottom was the step by step text log:
I actually like using PSR now better than Metasploit’s built in screenshot capability, especially with the blow by blow text log that is included. The script also worked well against Windows 10 with some minor tweaks.
Defending against this attack
Problem Steps Recorder can be disabled in group policy. Though I did not see anywhere on how to completely uninstall PSR.
The best defense is to block the remote connection from being created, so standard security practices apply. Keep your operating systems and AV up to date. Don’t open unsolicited, unexpected or questionable e-mail attachments. Avoid questionable links, be leery of shortened URLs and always surf safely.
If you want to learn more about computer security testing using Metasploit and Kali Linux, check out my latest book, “Intermediate Computer Security Testing with Kali Linux 2”.