Determine who is connecting to my PC
I'd like to find out who is connecting to my PC at work. I'm an admin and there are a few others. From time to time I notice odd files on my PC - I know I didn't place there. There are other times my PC slows down tremendously and my monitor flickers for about 10 - 15 minutes, leading me to believe someone has connected to my PC through my vnc share. My hard drives are shared w/admin rights; which must remain for virus updates and other updates, pushed through the servers. i've downloaded zone alarm and that did show me some users attempting to connect to my computer, but then it wouldn't allow me to do some of my admin work. For instance if i wanted to connect to one of the servers hard drives on alabama, I could no longer connect using the vnc share \\server\c$, it would just sit there. But, once turning off zone alarm, I could connect. Perhaps there's a setting I missed in that.
Anyone have some ideas?
Anyone have some ideas?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
well, there is a registry fix that will permenantly disable the administrative shares if it's helpfull for you let me know I'll post it.
and if you want to know on the spot when someone is trying to access your computer, than you need to play around with firewall like zone alarm, proper configuration is must in order to keep things working.
and if you want to know on the spot when someone is trying to access your computer, than you need to play around with firewall like zone alarm, proper configuration is must in order to keep things working.
ASKER
I can't permanently delete the admin shares. I've reinstalled Zone Alarm and am playing around w/the configurations, and might have figured out how to set trusted sites when blocked from the alerts and logs section. Only found that part today....So, it might be doing the trick.
THere's no user manual for the free version; at least not that i can locate....so, not quite certain what to set and what not to set...
THere's no user manual for the free version; at least not that i can locate....so, not quite certain what to set and what not to set...
you could make a batch file that runs constantly in the background
set the following commands in a loop:
date /t >> share.log
time /t >> share.log
net sessions >> share.log
if you want to set an interval, you can use the ping command for the timer
ping 127.0.0.1 -n t > nul
t=the number of seconds up to 99
set the following commands in a loop:
date /t >> share.log
time /t >> share.log
net sessions >> share.log
if you want to set an interval, you can use the ping command for the timer
ping 127.0.0.1 -n t > nul
t=the number of seconds up to 99
ASKER
GeneralMandible,
Can you explain your suggestion in more detail? I assume the net sessions refer to the admin shares? C$, D$, ADMIN$, IPC$, there's also a company BATCH share on D:\Batch; which contains subfolders w/logs that don't appear to contain any personal info.
I did notice in my Security Event Logs two days ago, Source = Security Category = Privileged Use User = MY BOSS'S Login Name! and Computer = my PC name. I'm assuming he connected via my shares? One ODD thing I've noticed since that day, is my Security logs are only for the current day. All previous dates are gone. My application and system logs date back months. Security used to be the same way.
Can you explain your suggestion in more detail? I assume the net sessions refer to the admin shares? C$, D$, ADMIN$, IPC$, there's also a company BATCH share on D:\Batch; which contains subfolders w/logs that don't appear to contain any personal info.
I did notice in my Security Event Logs two days ago, Source = Security Category = Privileged Use User = MY BOSS'S Login Name! and Computer = my PC name. I'm assuming he connected via my shares? One ODD thing I've noticed since that day, is my Security logs are only for the current day. All previous dates are gone. My application and system logs date back months. Security used to be the same way.
It basically gives you the same information in the posting by imnajam.
What this does is create a log of time-stamped entries. You could probably set the interval to 60 (every minute) and have a fixed loop for an 8 hour day. This would give you 480 entries in a day. Then you could look back through the log to see who and at what time someone was connected.
Check the properties on your security log. Make sure the size and retention methods are set correctly.
What this does is create a log of time-stamped entries. You could probably set the interval to 60 (every minute) and have a fixed loop for an 8 hour day. This would give you 480 entries in a day. Then you could look back through the log to see who and at what time someone was connected.
Check the properties on your security log. Make sure the size and retention methods are set correctly.
ASKER
GeneralMandible:
I created the batch file you suggested, don't know where I should have put it in order for it to run continously....Before leaving work, Zone Alarm showed a notice they had blocked access to my PC from another PC. I looked up the PC name and it was the PC of another IT user - don't know why this particular person was attempting connection, it should have been the security admin. Makes me rathe curious now. However, I just Citrixed into my work PC from home to take a look at the share.log file and noticed it was last filled at 2:30PM, so I went to my Start Programs, b/c that's where I had placed it....IT'S GONE!
Also, when I log in, I'm receiving the message my Security log is too large. I've cleared the log and checked it, but it did not show any users other than me....but it also didn't show my current connection or time. So, I surely couldn't have just deleted itself now, could it?
I created the batch file you suggested, don't know where I should have put it in order for it to run continously....Before leaving work, Zone Alarm showed a notice they had blocked access to my PC from another PC. I looked up the PC name and it was the PC of another IT user - don't know why this particular person was attempting connection, it should have been the security admin. Makes me rathe curious now. However, I just Citrixed into my work PC from home to take a look at the share.log file and noticed it was last filled at 2:30PM, so I went to my Start Programs, b/c that's where I had placed it....IT'S GONE!
Also, when I log in, I'm receiving the message my Security log is too large. I've cleared the log and checked it, but it did not show any users other than me....but it also didn't show my current connection or time. So, I surely couldn't have just deleted itself now, could it?
ASKER
GeneralMandible,
Any input on the above?
Any input on the above?
The hard part about this is they have admin access to your machine. I think your best bet is to work with the firewall. Create a set of rules that only allows traffic from the servers for your updates and from machines that you use for access. You should be able to set rules based on MAC address. If you have a good set of rules & they still get through, then that would narrow down as to what machine they are using for access (one of them in your rules). You might try doing a dump of your traffic log every hour and then going through those.
As far as the Security log, I usually just leave mine to overwrite as needed, but set the size to at least 4 MB. It shouldn't get full in a day. Yet again, if they have admin access, they can do just about anything.
As far as the Security log, I usually just leave mine to overwrite as needed, but set the size to at least 4 MB. It shouldn't get full in a day. Yet again, if they have admin access, they can do just about anything.
ASKER
I recreated the batch file today and put it in the registry Run, set it to a time interval of 60, yet it only has the time I actually created the file and rebooted my PC. Is that b/c nothing has occurred since that time? Or is something not right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I'll give a try on Tuesday....
mdmcq5, be noted that you will not be notified of anyone connecting to you with this script however you may check it laters to find out when somebody connected to your pc in past.
ASKER
I do understand that, imnajam....
ASKER
I wish there was a tool other than zonealarm that would alert you when someone is connecting to your PC; t he program itself is such a pain to configure; especially for a PC connected to the network.
The script file is a cool trick, but it is identical to just checking the logs as imnajam stated. i've increased the size to 4GB, and will just check them w/a reminder from time to time.
thank you both for your input.
The script file is a cool trick, but it is identical to just checking the logs as imnajam stated. i've increased the size to 4GB, and will just check them w/a reminder from time to time.
thank you both for your input.
ASKER
so, you're answer isn't helpful...or doesn't provide me w/what i want.