Question

  Asked: Feb 21 2008   6:48 PM GMT
  Asked by: Cjm13


Desktop user appears to have logged in after hours but has no remote access


Spyware, Event Viewer

A user (xx) came in to work to find their logon screen displaying another user name (yy) which would indicate that yy had successfully logged on using that desktop. However, neither xx nor yy were present at 11:00pm when the logon took place (as listed in the event viewer log), as the office is closed. The log shows that msinstaller had successfully installed 'webfldrs xp' and the user was yy at that time. All other normal events on that desktop were shown to be either the system, n/a or the correct user for that desktop, xx. Are there other explanations for the windows logon screen to display a different user than the last one to logon successfully? Both users are on the same network. Neither user knows how to use remote access. Can someone else log on remotely as a different user and leave the telltale sign of their user name in the logon window? Should I be looking for spyware or a virus? Thanks for any input.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window

Answer Wiki (Improve, edit or add to this answer)


 RATE THIS ANSWER
+1
Click to Vote:
  •   1
  •  0



It is possible for someone to have set the registry key which controls which user is displayed as the last one to login, but it's not likely.

One of a few things has happened.

1. User yy is lying and did go into the office, or use remote access to access the other users desktop.
2. Someone who was in the office at 11pm has user yy's password.
3. Someone has gotten user yy's password and broke into the network and used this other users machine to access company resources.

I would start by having user yy change there password asap. If they aren't in the office change it for them and have them change it again when the get in. Run a virus and spy ware scan on all machines which user yy uses.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security and Microsoft Windows.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Buddyfarr  |   Feb 21 2008  11:52PM GMT

I would not wait for the user to change the password. change his password for him and mark it to change when he logs in. I would also do it to the account of the first person too. If this is a domain then check the server security logs. it will show who logged in and when. the user can easily change the registry to show who the last logged in user was.

 

Labnuke99  |   Feb 22 2008  9:13PM GMT

There could also be the possibility of running a script without interactively logging into the computer that could have done the installation using that user’s credentials if they have the rights to perform the installation. Just a thought.