Not authorized internal accesses on my pc

Posted on 2006-04-07
Last Modified: 2013-12-04
Dear *,

at my work place I'm working within a LAN (behind firewall). It seems to me that someone internal (but not authorized) has violated my pc, entering with the admin password (stolen somewhere..). I do not know this password since I'm not the administrator, normally I login with other user privileges.

I'd like to know a method to proof this violation, to reveal past accesses to my machine (logs) possibly only using the command line (I cannot easily install new security detection programs on my pc).

Once I get the IPs that accessed my machine, how can I resolve the name of those machines (i.e. how can I identify the username corresponding to that IP within our LAN) ?
I've just tried to deal with the 'netstat' command but I'd like more suggestions from you.

Sorry for these very easy questions but I'm quite new to security issues ...

My pc is running WinXP while the machine that maybe accessed mine could run either Win or Linux (don't know).

Moreover could you please suggest me an easy and daily method to check for external not authorized accesses to my pc?

Thanks a lot and Best Regards,
Question by:new_irene
    LVL 87

    Expert Comment

    If you don't have administrative rights yourself, you can't proof anything... You'd have to get your IT department to monitor remote accesses to your PC for you.

    Author Comment

    Hi rindi and thanks for answering,

    I've asked for administrative rights and I have them now (simply I should not know the admin password, they allow me to log in as administrator).
    So what could I do with admin rights?
    LVL 87

    Expert Comment

    If you are running XP Pro (this doesn't work on home), start mmc from the run command, then in the tool that opens up select "File", "Add/Remove Snap-in". Now in the next window click on "Add", then select "Group Policy Object Editor". again select "Add", then use "Local Computer" and "finish".

    Click on "Close", then on "OK". Now in the resulting window select this new object click yourself through to Computer configuration, Windows Settings, Security Settings, Local Policies, Audit Policy. In here you can now set how your eventlogs should log events, just doubleclick the object you want to change the logs for and select what events it should log, like for "Audit Logon Events", then check "Success" and "Failure". Any logon attempts should now be viewable in the eventviewer. Inside the eventviewer set the eventlogs to rotate in such a way that logs are kept for, lets say 2 or three days. This will ensure that no one can delete the logs without you noticing (you can only delete the complete log, not individual events, so you should have your successfull logins in there. If your last logins aren't there, someone was in your system and deleted the logs. Otherwise you should now also see someone elses logon attempts.

    You can also download and try ethereal, a network analyzer which might help you monitor neetwork access to your PC, but it isn't simple to use, make sure you read the instructions.


    Author Comment

    Thanks rindi for your suggestions.
    Could you also explain me why in the Eventviewer I see all the events for 'Application' and 'System' categories (I mean, they go back in years..) while in the 'Security' category I can only see events of today and of one day in 2004...

    Moreover... if the 'thief' regularly login on my account as administrator the only way to proof it was not me is the computer name, isn't it?

    Thanks and Best Regards,
    LVL 87

    Accepted Solution

    If you right click and select "properties" on the eventlog of security (and also the other sections) you can set how the logs should be kept. These settings are probably different for the different sections. Possible selections are overwrite events as needed, overwrite events older than (number of days and Do not overwrite events. The last option will eventually fill up your computer if you don't regularly clear the logs yourself, I never use that option.

    You can make records of the times when you are logging in and off again. If you can see different succesfull logon times, there's a "thief" accessing your PC. Or if the security event is empty, and you set it to overwrite events all 7 days, and even your successful logons from less than 7 days don't show, a thief probably was in the system and cleared the log after exiting.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now