Desktop user appears to have logged in after hours but has no remote access

5 pts.
Tags:
Event Viewer
Spyware
A user (xx) came in to work to find their logon screen displaying another user name (yy) which would indicate that yy had successfully logged on using that desktop. However, neither xx nor yy were present at 11:00pm when the logon took place (as listed in the event viewer log), as the office is closed. The log shows that msinstaller had successfully installed 'webfldrs xp' and the user was yy at that time. All other normal events on that desktop were shown to be either the system, n/a or the correct user for that desktop, xx. Are there other explanations for the windows logon screen to display a different user than the last one to logon successfully? Both users are on the same network. Neither user knows how to use remote access. Can someone else log on remotely as a different user and leave the telltale sign of their user name in the logon window? Should I be looking for spyware or a virus? Thanks for any input.

Answer Wiki

Thanks. We'll let you know when a new response is added.

It is possible for someone to have set the registry key which controls which user is displayed as the last one to login, but it’s not likely.

One of a few things has happened.

1. User yy is lying and did go into the office, or use remote access to access the other users desktop.
2. Someone who was in the office at 11pm has user yy’s password.
3. Someone has gotten user yy’s password and broke into the network and used this other users machine to access company resources.

I would start by having user yy change there password asap. If they aren’t in the office change it for them and have them change it again when the get in. Run a virus and spy ware scan on all machines which user yy uses.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Buddyfarr
    I would not wait for the user to change the password. change his password for him and mark it to change when he logs in. I would also do it to the account of the first person too. If this is a domain then check the server security logs. it will show who logged in and when. the user can easily change the registry to show who the last logged in user was.
    6,850 pointsBadges:
    report
  • Labnuke99
    There could also be the possibility of running a script without interactively logging into the computer that could have done the installation using that user's credentials if they have the rights to perform the installation. Just a thought.
    32,960 pointsBadges:
    report
  • Markempee
    I think that there might be a problem with your Operating System. This usually happens when there is a corrupted file which is related to the function of logging in another user account.
    2,130 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following