?
Solved

Determine who is connecting to my PC

Posted on 2006-05-25
16
Medium Priority
?
284 Views
Last Modified: 2013-12-04
I'd like to find out who is connecting to my PC at work.  I'm an admin and there are a few others.  From time to time I notice odd files on my PC - I know I didn't place there.  There are other times my PC slows down tremendously and my monitor flickers for about 10 - 15 minutes, leading me to believe someone has connected to my PC through my vnc share.  My hard drives are shared w/admin rights; which must remain for virus updates and other updates, pushed through the servers.  i've downloaded zone alarm and that did show me some users attempting to connect to my computer, but then it wouldn't allow me to do some of my admin work.  For instance if i wanted to connect to one of the servers hard drives on alabama, I could no longer connect using the vnc share \\server\c$, it would just sit there.  But, once turning off zone alarm, I could connect.  Perhaps there's a setting I missed in that.

Anyone have some ideas?
0
Comment
Question by:mdmcq5
  • 9
  • 4
  • 3
16 Comments
 
LVL 9

Assisted Solution

by:imnajam
imnajam earned 375 total points
ID: 16760357
Hi mdmcq5,

you can monitor and know how many peoples are connected to your computer by the following steps:-
1-click on start, then run
2- type "compmgmt.msc"
3-expand shared folders
4-click on sessions or open files to find the current sessions and opened fileds


Cheers!
0
 

Author Comment

by:mdmcq5
ID: 16760613
I know that, but that's something i'd have to check constantlly.,..i want to know when at the exact time, someone is looking in my files....the shares are shared by default - no way around it....

so, you're answer isn't helpful...or doesn't provide me w/what i want.
0
 
LVL 9

Expert Comment

by:imnajam
ID: 16762513
well, there is a registry fix that will permenantly disable the administrative shares if it's helpfull for you let me know I'll post it.

and if you want to know on the spot when someone is trying to access your computer, than you need to play around with firewall like zone alarm, proper configuration is must in order to keep things working.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mdmcq5
ID: 16762906
I can't permanently delete the admin shares.  I've reinstalled Zone Alarm and am playing around w/the configurations, and might have figured out how to set trusted sites when blocked from the alerts and logs section.  Only found that part today....So, it might be doing the trick.

THere's no user manual for the free version; at least not that i can locate....so, not quite certain what to set and what not to set...
0
 
LVL 3

Expert Comment

by:GeneralMandible
ID: 16763064
you could make a batch file that runs constantly in the background

set the following commands in a loop:

date /t >> share.log
time /t >> share.log
net sessions >> share.log

if you want to set an interval, you can use the ping command for the timer
ping 127.0.0.1 -n t > nul

t=the number of seconds up to 99
0
 

Author Comment

by:mdmcq5
ID: 16763158
GeneralMandible,

Can you explain your suggestion in more detail?  I assume the net sessions refer to the admin shares? C$, D$, ADMIN$, IPC$, there's also a company BATCH share on D:\Batch; which contains subfolders w/logs that don't appear to contain any personal info.

I did notice in my Security Event Logs two days ago, Source = Security Category = Privileged Use User = MY BOSS'S Login Name! and Computer = my PC name.  I'm assuming he connected via my shares?  One ODD thing I've noticed since that day, is my Security logs are only for the current day.  All previous dates are gone.  My application and system logs date back months.  Security used to be the same way.
0
 
LVL 3

Expert Comment

by:GeneralMandible
ID: 16763391
It basically gives you the same information in the posting by imnajam.

What this does is create a log of time-stamped entries.  You could probably set the interval to 60 (every minute) and have a fixed loop for an 8 hour day.  This would give you 480 entries in a day.  Then you could look back through the log to see who and at what time someone was connected.

Check the properties on your security log.  Make sure the size and retention methods are set correctly.
0
 

Author Comment

by:mdmcq5
ID: 16764879
GeneralMandible:

I created the batch file you suggested, don't know where I should have put it in order for it to run continously....Before leaving work, Zone Alarm showed a notice they had blocked access to my PC from another PC.  I looked up the PC name and it was the PC of another IT user - don't know why this particular person was attempting connection, it should have been the security admin.  Makes me rathe curious now.  However,  I just Citrixed into my work PC from home to take a look at the share.log file and noticed it was last filled at 2:30PM, so I went to my Start Programs, b/c that's where I had placed it....IT'S GONE!

Also, when I log in, I'm receiving the message my Security log is too large.  I've cleared the log and checked it, but it did not show any users other than me....but it also didn't show my current connection or time.  So, I surely couldn't have just deleted itself now, could it?
0
 

Author Comment

by:mdmcq5
ID: 16769862
GeneralMandible,

Any input on the above?
0
 
LVL 3

Expert Comment

by:GeneralMandible
ID: 16770313
The hard part about this is they have admin access to your machine.  I think your best bet is to work with the firewall.  Create a set of rules that only allows traffic from the servers for your updates and from machines that you use for access.  You should be able to set rules based on MAC address.  If you have a good set of rules & they still get through, then that would narrow down as to what machine they are using for access (one of them in your rules).  You might try doing a dump of your traffic log every hour and then going through those.

As far as the Security log, I usually just leave mine to overwrite as needed, but set the size to at least 4 MB.  It shouldn't get full in a day.  Yet again, if they have admin access, they can do just about anything.
0
 

Author Comment

by:mdmcq5
ID: 16771683
I recreated the batch file today and put it in the registry Run, set it to a time interval of 60, yet it only has the time I actually created the file and rebooted my PC.  Is that b/c nothing has occurred since that time?  Or is something not right?
0
 
LVL 3

Accepted Solution

by:
GeneralMandible earned 375 total points
ID: 16772618
Here is a sample of a batch file with a folder called Share for the log file.  Make sure you move or rename the log file each day or it will just keep appending it.

@echo off
title Connection Logger

echo This will log connections for 8 hours
echo.
echo Press CTRL + C to cancel

set COUNT=0

:loop
set /A COUNT=COUNT+1
date /t >> c:\share\share.log
time /t >> c:\share\share.log
net sessions >> c:\share\share.log

ping 127.0.0.1 -n 60 > nul
REM COUNT is in minutes
if %COUNT%==480 goto finish
goto loop

:finish
echo ****************************************************************** >> c:\share\share.log
echo END OF FILE >> c:\share\share.log
0
 

Author Comment

by:mdmcq5
ID: 16772632
Ok, I'll give a try on Tuesday....
0
 
LVL 9

Expert Comment

by:imnajam
ID: 16773993
mdmcq5, be noted that you will not be notified of anyone connecting to you with this script however you may check it laters to find out when somebody connected to your pc in past.
0
 

Author Comment

by:mdmcq5
ID: 16775667
I do understand that, imnajam....
0
 

Author Comment

by:mdmcq5
ID: 16799423
I wish there was a tool other than zonealarm that would alert you when someone is connecting to your PC; t he program itself is such a pain to configure; especially for a PC connected to the network.

The script file is a cool trick, but it is identical to just checking the logs as imnajam stated.  i've increased the size to 4GB, and will just check them w/a reminder from time to time.

thank you both for your input.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Integration Management Part 2
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month16 days, 22 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question