Help with Insubordinate - Rouge program installs


  1. Posts : 2
    Windows 10
       #1

    Help with Insubordinate - Rouge program installs


    Hello everyone, first post here. (Windows 10 Home)

    Currently I am having a problem with one of my subordinates not cooperating. Initially he was within his bounds, but lately he has been overstepping to the point of irritation and possible disciplinary action.

    To get to the meat of it, there are somehow programs being installed onto one of our shared computers (AutoHotKey Unicode 64bit). With this, he has changed a lot of the keyboard combinations, as well as the mouse buttons. Initially it was as easy as stopping the process from the task manager and disabling the program at start-up. However, today, I log on to the computer and it is on at start up. Check the start-up menu and there is a second instance listed under start-up, and requires admin password to disable.

    In addition, the program listed is not showing up under installed programs, so I cannot seem to find a way to uninstall this, or combat this employee. Long story short, our IT is doing the best he can, and is in charge of a million other things and relies on me for help. And this is one thing I can't seem to solve, so any help will be appreciated.

    Thank you
    Attached Thumbnails Attached Thumbnails Help with Insubordinate - Rouge program installs-autohotkey-2-instances.png  
      My Computer

  2. dalchina's Avatar
    Posts : 31,845
    Win 10 Pro (1903)
       #2

    Hi, my guess is each of those represents an autohotkey script file - if you expand one you may see something like this:
    Help with Insubordinate - Rouge program installs-1.jpg

    If they are script files (e.g. abcd.ahk) then if you rt click them as shown, you will have the option to edit:

    Help with Insubordinate - Rouge program installs-untitled.png

    snd you can then see the content of the script file.

    You don't have extensions shown, unfortunately.


    Whilst script files (extension .ahk) will run, they will only do so if Autohotkey is installed.

    If .ahk script files are running that implies Autohotkey has been installed. Should the employee have the ability to install programs at all? If not, deploy an appropriate group policy:
    Block users from installing or running programs in Windows 10


    Compiled .ahk files (.exe) don't require that. Neither they nor ahk files need to be installed.

    It's enough simply to put them somewhere accessible on the network or on a PC, and create a startup entry to have them launched automatically.

    Consider using Applocker:
    Use AppLocker to Allow or Block Executable Files in Windows 10
    Use AppLocker to Allow or Block Windows Installer Files in Windows 10

    More:
    Please Wait... | Cloudflare
      My Computers


  3. Posts : 2
    Windows 10
    Thread Starter
       #3

    Help with Insubordinate - Rouge program installs-autohotkey-2.png

    I am attaching a secondary picture for reference. I am believing that the employee had to have gotten the Admin password to install the original program, but I am just confused as to why it isn't showing up on the installed program list? I am very new to this, and any and all help is appreciated.

    I know nothing about scripts or Macros at all, and there are a lot of .ahk files with scripts and Macros in them, but I am unaware of what they do or even how to modify them at all

    Thank you
      My Computer

  4. dalchina's Avatar
    Posts : 31,845
    Win 10 Pro (1903)
       #4

    Thank you for your reply.


    That's the installation folder for Autohotkey, although oddly under Documents.

    I.e. your employee has downloaded and installed it. Look - here's mine:
    Help with Insubordinate - Rouge program installs-1.jpg


    I asked above:
    Should the employee have the ability to install programs at all?
    If not, deploy an appropriate group policy:
    I have given you above some ways to stop the person, and ways to determine what the scripts are.

    The rest is up to you or a competent IT staff member.
      My Computers

  5. Callender's Avatar
    Posts : 4,417
    21H1 64 Bit Home
       #5

    You can just block it from running.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoHotkey.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoHotkeyA32.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoHotkeyU32.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoHotkeyU64.exe]

    Create the above registry keys and add this value to each.
    I'm adding an image here as somehow CODE box containing the content is blocked by this forum.
    Help with Insubordinate - Rouge program installs-value.png

    So you end up with:

    Help with Insubordinate - Rouge program installs-reg-file.png
      My Computer

  6. Callender's Avatar
    Posts : 4,417
    21H1 64 Bit Home
       #6

    Example. Notepad blocked.

    Help with Insubordinate - Rouge program installs-registry-editor.png
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:02.
Find Us




Windows 10 Forums