In Control with Gencontrol
Here's a nifty little tool for remotely monitoring and controlling user desktops.
At my last company, I used Gencontrol pretty extensively for remotely monitoring and troubleshooting user desktops. At my new job, I tried to use Gencontrol and my connections keep timing out. The client systems are Windows XP SP2. I’m assuming that the Windows XP firewall is blocking the Gencontrol connection. Is this correct? If so, how can I fix it?
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Wayne, excellent choice with Gencontrol. Gencontrol is based on the open source Virtual Network Computing (VNC) viewer and server products. With Gencontrol, you can run a single executable and either remotely control or monitor another system's desktop within your domain. When executed, Gencontrol will remotely install a VNC server application on a remote system. The remote install involves creating a folder named "VNCTEMP" on the target system's C drive, which includes two files: VNCHooks.dll and WinVNC.exe. After the files are copied, Gencontrol then remotely launches the WinVNC.exe server application on the target system. Finally, it will then automatically open a VNC client session between your system and the target. This can allow you to remotely control another user's desktop. Some of my friends use this tool exclusively for remotely monitoring the desktops of users who continually look for ways to bypass their security restrictions.
In order to use Gencontrol, you will need local administrative rights on the target system you wish to control. So if you're a domain admin, you're good to go. Since Gencontrol attempts to remotely copy files to the target system, the Windows XP firewall will need to allow File and Print Sharing. Also, once the VNC server starts on the target system, the XP firewall will need to allow connections on port 5900. So with a few tweaks to the XP firewall, you'll be able to use Gencontrol just like you did at your previous company.
While the required changes can be configured locally, I recommend implementing the firewall changes using a Group Policy Object, as long as you're in a Windows Server 2003 SP1 domain.
Here are the steps to edit a Group Policy Object to configure the Windows firewall to allow connections from Gencontrol:
- In the Group Policy Object Editor, navigate to the Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile object.
- Now double-click on the "Windows Firewall: Allow File and Print Sharing Exception" object.
- When the configuration dialog box appears, click the Enabled radio button. You should then identify the host IPs or subnet IDs that are allowed to connect. For example, if you want to only allow connections from your admin network segment which uses a network ID of 172.16.1.0/24, you'd enter 172.16.1.0/24 in the Allow unsolicited incoming messages from field. Once you've identified the hosts or subnets allowed to connect, click OK.
- Next, double-click on the "Windows Firewall: Define port exception Properties" object.
- In the configuration dialog, click the Enabled radio button. Then click the Show button.
- In the Show Contents dialog box, click the Add button. In the Add Item dialog box, enter "5900:TCP:172.16.1.0/24:enabled:gencontrol" and then click OK. You'll need to replace my 172.16.1.0/24 reference with your subnet ID or specific IP address in the statement. Now in the Show Contents dialog box, click OK. Click OK to close the "Windows Firewall" Define Port Exceptions Properties" dialog box.
- Double-click on the "Windows Firewall: Allow local port exceptions" dialog box. In the configuration dialog box, click Enabled and then click OK.
- Close the Group Policy Object Editor.
At this point, the Windows firewall will now allow the operation of Gencontrol. Your specific AD structure should dictate exactly which GPO needs to be modified. If you have a particular OU for the workstations that you manage, then the GPO could be linked to that OU.
One other consideration with Gencontrol is that if you connect to a system and the Gencontrol application is unable to remove the VNCTEMP folder, you will need to manually delete the folder before you can reconnect. You can do this by navigating to the UNC path \\TargetComputer\C$ and then deleting the VNCTEMP folder. This problem is often caused by a user shutting down a system while you're still connected.
Good luck on the new job, Wayne. I hope this makes your transition a little easier.