Windows 10: Quick Assist

Windows 10: Quick Assist

Quick Assist was introduced in the 2016 Anniversary edition and is an upgrade to the Windows Remote Assistant utility that allows you to connect to another Windows 10 computer over the internet.

For remote support this is great, but it also enables the "Remote Tech Support" scam's without the need for the malicious party to trick or persuade the victim into downloading and installing a Remote Administration Tool or RAT.

The other problem with this is that it could be a way for attackers to get into corporate networks or pull the above scam on remote workers which could then be used to pivot into the company via a VPN.

Below is an example of the Quick Assist tool in action, as you can see it allows the attacker to click the UAC pop-up enabling admin rights.

Attacker: Work Group Computer 
Victim: Domain Joined Computer
Both VMs are on different networks

From Wikipedia the below connections are required

URL Mandatory
channelwebsdks.azureedge.net yes
web.vortex.data.microsoft.com unknown
gateway.channelservices.microsoft.com unknown
remoteassistance.support.services.microsoft.com yes
relay.support.services.microsoft.com unknown
`*.lync.com unknown

whilst testing the below domains were connected to by both machines

api.support.microsoft.com
assets.onestore.ms
browser.pipe.aria.microsoft.com
channelwebsdks.azureedge.net
latest-swx.cdn.skype.com
noammeetings.resources.lync.com
rdprelaynortheuropeprod-1.support.services.microsoft.com
relay.support.services.microsoft.com
remoteassistance.support.services.microsoft.com
skypeconfiga.support.services.microsoft.com
webpoolbl20r04.infra.lync.com
web.vortex.data.microsoft.com

The executable can be found at C:\Windows\System32\quickassist.exe

Removing Quick Assist

Quick Assist can be removed via the DISM command

PS C:\Windows\system32> dism /online /Get-Capabilities | findstr /i "assist"
Capability Identity : App.Support.QuickAssist~~~~0.0.1.0
PS C:\Windows\system32> dism /online /Remove-Capability /CapabilityName:App.Support.QuickAssist~~~~0.0.1.0

Deployment Image Servicing and Management tool
Version: 10.0.19041.572

Image Version: 10.0.19041.572

[==========================100.0%==========================]
The operation completed successfully.

Or using Powershell (reboot may be required)

Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0

Group Policy

The below Group Policy settings only affect Remote Assistance and not Quick Assist ....

From some Googling it still appears there is no way to control Quick Assist from GPO, but using GPO you could block it completely using Applocker, Windows Firewall to block the EXE or removing the EXE with a login script.

Remote Support

If a remote support solution is required then something like a LogMeIn, BeyoundTrust or Dameware should be used where you can restrict  and log access. There should also be a policy in place and well-known procedure used to initiate connections, with users able to confirm it is their IT Team and not a malicious attacker trying to connect.  

Show Comments