Admin’s Arsenal: Launch a script with an email, from your cell phone.

“With great power comes great responsibility.” Call me a bit of a geek, but when Uncle Ben said that to Peter Parker in Spiderman (2002), it sent a chill down my spine. Not because this was the first Spiderman movie that was actually good, but because I immediately thought that there was no possible way to better sum up the best piece of advice that you can give someone who has chosen the IT profession as a career. Thank you Stan Lee.

I mention this simply because what I am about to show you can be a great tool, but can also be used for unconscionable evil. In fact, I learned how to do this from an incident at a former job where a disgruntled SysAdmin had used this technique to set up a “deadman switch” of sorts, and when he was fired, used it to totally wipe out a critical database. I was tasked with figuring out what had happened.

Now for those of you that will fall to the darkside, and decide to use this technique for nefarious purposes, listen up: you will get caught. Not only will you get caught, you will get prosecuted (as did the guy I learned this from). Also keep in mind that with the now infamous Terry Childs case being highly publicized, you will probably end up going to jail too (as you should).

This post is for the rest of you who will use this very powerful technique to make your jobs easier (and likely your personal lives less interrupted as well).

Requirements for this to work:

  1. Outlook 2003 or newer (may work in previous versions, I have not tested it).
  2. A script that does something you want to happen (test it thoroughly and make sure it does only what you intend it to do before putting it into production).

You may also be able to do this with other email clients, but at work I use Outlook so I’ve only ever tried it in Outlook.

For demonstration purposes, I used a VBScript named “testScript.vbs” (I know, original right?) which only contains one line of code:

wscript.echo “WORKING!”

I use this script frequently for testing purposes, so it is what I had on hand, and is totally safe (it’s not going to burn your network down if you accidentally fire it off while setting this up).

Once you have that script (or your own test script) in place, we can get to the actual setup.

Setting up the rule in Outlook:

  1. Launch Outlook, and go to Tools>Rules and Alerts…
  2. In the E-mail Rules tab, select the New Rule… button.
  3. In the Rules Wizard, under the Start from a blank rule heading, select Check messages when they arrive, and click the Next > button.
  4. In the Select Condition(s) screen, place a check in the following boxes: from people or distribution listwith specific words in the subjectsent only to mewith specific words in the body.
  5. In the Edit the rule description box below, set people or distribution list to the email address you will be sending the activation email from (in my case I use my work email address when sending from my BlackBerry, and my gmail address when doing this from another computer). It is possible to add more than one email address here.
  6. In the Edit the rule description box below, set specific words in the subject to something that you know you will never use as a subject line unless sending an Activation Email for this script (I use something like this: SCRIPT-scriptname).
  7. In the Edit the rule description box below, set specific words in the body to an activation code (I use something like this: 1RS114523$%%#234). This is the “password” for launching the script, so make it something that is really hard to guess, and then store it in KeePass!.
  8. Click the Next > button at the bottom of the window.
  9. In the Select action(s) box, select start application. I also check assign it to the category category box (that’s not a typo), and then assign it to the Remote Script Activation category which I created so that all Activation Email that I send are easily identified.
  10. In the Edit the rule description box below, set start application to the script you want to run. By default the Select an Application to Execute window has the Files of type box set to .exe files only, to find a script, change this to All Files (*.*) using the drop down menu.
  11. Click the Next > button at the bottom of the window.
  12. Click the Next > button at the bottom of the window again (unless you want to set any exemptions to this rule).
  13. Name your new rule, and make sure that the Turn on this rule box is checked.
  14. A summary of this rule is displayed at the bottom of the window. If this is not correct, you can click the < Back button to make any changes. If everything looks good, click the Finish Button at the bottom of the window.

NOTE: This is a client side only rule, which means that Outlook must be running for the rule to work (leave Outlook open and just lock your workstation).

WARNING: There are many tools that make it possible to send email that looks like it came from an account that is not yours. This is why it is very important to use a really strong “password” when setting things like this up. The last thing you want is for someone to figure out what you are doing and then be able to execute scripts in the context of your user account.

Testing it out:

  1. Create a new email from the email address(s) that you entered in step 5 above.
  2. Make the subject line the text that you entered in step 6 above.
  3. In the body of the email you are sending enter the text that you specified in step 7 above.
  4. Send the email.

When Outlook receives this email, the script that you specified in step 10 above will launch. Go ahead and test it out, I’ll wait…

Holy shit!!! What can I use this awesome technique for?!?!?

Well the answer to that is pretty much only limited to your imagination (and what you can do with a script or executable file). I have about 200 of these rules set up (I use different “passwords” for each of them so I keep a list of them in my BlackBerry and on my desk at home) and here are some of the things I can do with them:

  • Reboot all servers.
  • Reboot an individual server (I have a rule for each one).
  • Reboot all workstations.
  • Reboot individual workstations (there are only a couple that give me issues).
  • Lock all workstations (all are Win XP), this one was really tricky to set up but it was necessary for a particular application).
  • Clear out the print queue on our print server (all printers).
  • Clear out the print queue on our print server for an individual printer (I have individual rules for each one).
  • Send an emergency message to all users’ desktops (in case I have to reboot servers, workstations, or lock workstations to fix something critical).
  • Change user password and lock workstation, for each user on the network (individual rules for each, in case of employee termination).
  • Change the Domain Admin accounts’ passwords (in case it is compromised while I am not in the office, this is just a safety thing).
  • Send email to users letting them know I am starting scheduled maintenance.
  • Stop (and start) services, or specific groups of services (like those used by our Infernal Accounting software grrrrr).

The possibilities are really fairly limitless if you can figure out how to do what you want with a combination of scripting and automation software (like AutoIt is pretty useful for doing things that you can’t do with VBScript or batch scripts).

While it is possible to extend the usefulness of this technique to home application, it is primarily going to be of use to IT Professionals, managing large(r) networks. To take full advantage of this you’ll need to invest some time in learning to automate things with scripts.


2 Responses to Admin’s Arsenal: Launch a script with an email, from your cell phone.

  1. Karl L. Gechlik | says:

    Awesome post. I use this all the time with little old batch files much the same way you launch your vbs files. I just got into AUtoIT so this might have pushed me in the right direction. I would love to see some of those scripts some day. Who do they run as? Do there need to be creds in the script?

  2. Just Joe says:

    Hey Karl, sorry it’s taken me so long to get back to you on this (busy at work lol). The scripts run in the context of the user that launches them, unless you set specific credentials in the script (I guess for batch files you could use a “helper” script to call runas). I’m working on getting some of those scripts converted to PowerShell, and will be releasing them when it’s done. You only need credentials in the script if you want to run the commands as a user other than yourself (you can set them to run as the local system account using task scheduler pretty easily though – or at least you could in XP, and Vista RTM). This was no small part of my decision to migrate everything to PowerShell. Since PowerShell is .NET based, you have easy access to secure credential storage. In VBScript I had ot come up with some … interesting worrkarounds for that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: