Brendan Hughes

I changed the password on someone else's user login on my PC, to stop them using it. I found out last night that they were using it while I was away without any password.

My first thoughts are that they got my (admin) password, deleted their own, and could thus get into their account. We've just moved house, and when he switched on while I wasn't there, apparently his password lock had mysteriously disappeared, freeing up his account, while two others were still there. Funny, that.

I'd like to examine previous use of the machine for each user, but am not sure how. Firstly I'm no security expert, and secondly the machine is at home without internet while I type this at work 10 miles away (on a non-XP machine), so please bear with me!

Last night I right-clicked on My Computer, got Manage, and looked at ?Event Log. When I look at the event log for my login, it shows a lot of activity at times when I know I wasn't there, and the event log on his login shows activity when he shouldn't have been using it. But it's not clear if it shows activity on each login, that proves it was being used, or if for instance I have Norton AV on the machine and, because the machine was being used by one user, Norton ran and therefore logged as an event on all users, ie it doesn't really prove anything about individual illicit user activity.

I see also there are Event Codes? Can I get a table of these which tell me which action was being taken? Is this a good idea?

Any other hints gratefully received, but pref. Windows-based, I'm useless with dos hacking.

Many thanks in advance

Brendan

Jye

--I changed the password on someone else's user login on my PC, to stop them using it. --

Why is 'someone else' using 'your' PC?

Nimbus

There are a number of key loggers and screen grabber out there. Have you though about trying those?

Hanley

Try 007 Starr Commander!!!!

Brendan Hughes

Seriously, please.

Jye, I don't like to say it as it sounds like I'm being a killjoy parent, but it's my PC and it's my teenage son who has been logged off it for various disciplinary reasons (my wife has the other user ID). Sorry if this caginess resulted in confusion.

I've pretty much accused him last night of doing this, which he denies emphatically, so I told him that I would try to find out the truth today and either fully apologise or punish him this evening.

Keystroke monitors etc pointless as this is in the past.

Am I right to look at the Event log, and if so, how do I interpret it more clearly?

Thanks again

Brendan

barrybudden

Open eventlog go to the security log if you have been auditing logon/off then you will have these events to look at. YOu have to turn auditing on in the local security policy to be able to have something to look at. Click view and filter then you will be able to enter a search criteria to search for specific events, dates, priviledge use etc.

Change your password for something hard to guess, upper and lower characters alpha numeric etc.

Jye

--Jye, I don't like to say it as it sounds like I'm being a killjoy parent, but it's my PC and it's my teenage son who has been logged off it for various disciplinary reasons (my wife has the other user ID). Sorry if this caginess resulted in confusion.--

NP, sounds very reasonable m8. I think the answer above should tell you all you need to know.

Brendan Hughes

Thanks for that. I can't question much more as I don't have the PC here, but do I get the impression that I should have clearly switched on some sort of monitor/audit process, in order to have records to look at? Because I didn't. I can only look at what was there already. There seem to be plenty of events logged, I just can't make much sense of them. Frankly, definitive proof of my login being used while I'm at work is almost good enough, though a clear activity trail would be interesting.

My password is very simple and he knows it, it's just to stop casual abuse. His mate is a computer whizz and has already offered a program to hack my password - my son wisely refused as he knew it would get him into a whole load more trouble if I found out.

Aside from the enquiries above, I'll probably be back tomorrow with more questions...

Cheers

Brendan

Jza

If its XP pro he could have set up a user account that you cant see

start/Administrative tools/computer management/local users and groups/users

Look in there - it stores all the logins but you dont neccesarily see them in Users in control panel.

Change Admin password and remove anything "dodgy" sounding.

Might want to reset "guest" password as well

Jza

Brendan Hughes

Jza - thanks, but waaaaay too advanced for him (and it's home, not pro)... Mum walked past and saw his CounterStrike wallpaper, so nothing so complicated.

It's a real shame, as I was about to lift the ban, he's just about complied (minimum humanly possible) with what I asked him to do.

swaussie

Do you leave it running whilst your at work? If you look in the event log it will also have start up and shut down times. Not very conclusive as he could just have turned it on but my guess would be that if this happened then its for a reason

M J B

Click Start
then Run
And type "control userpasswords2"
May give you some more info on user accounts. Just an idea...

ptholt

another vote for 007 here, it really is VERY good and completely and utterly invisible if you install it correctly.

It will record EVERY button pressed from xp logon onwards and take screenshots at whatever interval you choose, will even email you the html log file at regular intervals totally behind the scenes, not listed in task manager etc.

Jye

So where can you get this 007? I'm was searching for it on Google at work brings up loads of **** and warez sites, not nice

Jye

btt

JackClark

http://www.e-spy-software.com/contact.htm

Jye

Cheers Jack

Hanley

Look here http://www.iopus.com/

velohead66

Just two questions;

1) Is your son a CounterStrike Junkie, then.

2) 007
How can you see if this is installed.
What is the .exe file called.