Remotely Erase a Stolen PC

What we want to make happen.

Laptop stolen? Got a way to remotely run code on it, like remote access, Kaseya, LabTech, NAble, or another RMM? You already Bitlocker encrypted it right? Right??? — If not, then look no further for code to erase user data, and make a computer non-bootable.

Feel free to modify into a batch file and run remotely.

#Optional, helps reduce any roadblocks you run into. PSExec is a Microsoft SysInternals tool, that allows you to execute a program with "NT AUTHORITY\SYSTEM" level permissions. Using the "-s" switch runs in a system context. /accepteula prevents a prompt to agree to the license when running.
#copy .\PSExec.EXE into your directory, I will be using Kaseya's default working directory: C:\kworking\

#Before anything else, delete the bootloader. Upon a reboot, there will be nothing to boot to, and Startup Repair will be unable to fix it. At this point, repair options do exist -- but this step is just part 1.
bcdedit /delete {bootmgr} /f
bcdedit /delete {current} /f
#Going to use Robocopy to MIRror over our existing data. Start with a blank directory.
mkdir C:\blank
#Take ownership of all User folders. This folder is protected against normal deletion. We also give "everyone Full" permission over all User directories, again, for the sake of easier deletion.
C:\kworking\psexec.exe /accepteula -s takeown /r /d y /f C:\Users
C:\kworking\psexec.exe /accepteula -s icacls C:\Users /t /grant Everyone:(OI)(CI)F
#Purge all local User Files
#Using > NUL prevents console output, making it run significantly faster.
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\Users\ /MIR /r:0 /w:0 /e > NUL
#Purge ProgramData
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\ProgramData /MIR /r:0 /w:0 /e > NUL
#Start breaking programs
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank "C:\Program Files (x86)" /MIR /r:0 /w:0 > NUL
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank "C:\Program Files" /MIR /r:0 /w:0 /e > NUL
#Break the Windows OS -- delete as many important pieces as you can.
#Typically reduces WinSxS from ~15k files to about ~2k.
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\Windows\WinSxS /MIR /r:0 /w:0 /e > NUL
C:\kworking\psexec.exe /accepteula -s robocopy.exe C:\blank C:\Windows\System32 /MIR /r:0 /w:0 /e > NUL
#At this point, the machine is probably just a black screen, and nothing works. No Task Manager, no icons, no interface -- nothing... You can try to trigger a "shutdown -r -t 0", but it's likely the shutdown.exe has also been purged.
#There is nothing left to do with the machine besides wipe and reload the OS.

Leave a Reply

Your email address will not be published. Required fields are marked *