Solved

Windows XP Login Anomoly

Posted on 2012-03-12
7
260 Views
Last Modified: 2012-08-14
Hello,

Noted a strange incident on a network last week.  Several users noted that their computers restarted and when the systems rebooted, the username showed the "Administrator" account instead of their default user name.  I suspect hacking but am curious if perhaps a new windows update or SR or something might have caused this.

The workstations are running Windows XP SR3 and they are part of a windows 2003 domain.
0
Comment
Question by:SRC-S1
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 4

Expert Comment

by:Neal58
Comment Utility
Has anyone been logging in as admin on these pcs? check the event logs on a couple to see who's logged in and it may be worth securing your administrator login!
0
 
LVL 1

Author Comment

by:SRC-S1
Comment Utility
Hey Neal58,

Great thought but I am told that the administrator, neither the admin account, is sued on these workstations. According to in-house IT, at around the same time, three workstations restrated and when they came back up the administrator account was in the username....this typically only shows when the administrator account, either locally or via RDP, was so logged on.

Quite strange for sure.
0
 
LVL 6

Expert Comment

by:xeroxzerox
Comment Utility
Have u check the all user name in server.what it is showing on server.
Are all the users name on server are the same or replaced too ?

Are user able to login his user name in system or not? if no! what error occured?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
Well, first it sounds like the login setup on those computers is the Classic Logon screen that has a blank for the user and a blank for the password.  Is that right?

Then, this screen comes up with the last username in the first blank.

I wonder if there wasn't an upgrade or change pushed from the server that required a logon?  If this happened, and particularly if it was automated, then maybe nobody knows?  Or possibly a Windows update?  

If the Administrator account "is not used" then it's also very possible that the Administrator password is [blank].  If that's the case then it would be easier for system-level push administration operations.  And, *that* may be somewhat transparent to the system administrators.

I do think it's relatively safe to say or surmise that an Administrator logon did happen on those computers.
0
 
LVL 1

Author Comment

by:SRC-S1
Comment Utility
Thanks all...so far still hoping for a reasonable explanation....

I am assured that the domain administartor account has not logged in to these computers in some time (months).  Further, as windows only shows the last successful logged on user in the username field, this indiactes that the domain administrator account was involved here.

Also, the domain administrator account does NOT have a blank password.

Further, one would expect to see this anomoly if, perhaps, the domain administartor account was successfully connected via RDP and a froced shutdown or restart was done, wherein the domain administrator would in fact be the last successful login.  Combined with the fact that the computers restarted, does sound to be along the lines of hacking and vandalism or annoyance to say the least.

Am hoping for alternate explanations such as perhaps a very recent widnows update might demoinstarte such a symptom...not seeing it for any otehr clients which makes that very unlikely.

Again, appreciate the wisdom and feedback in this source and hopeful that someone might have more thoughts.
0
 
LVL 4

Accepted Solution

by:
Neal58 earned 500 total points
Comment Utility
does the local pc have the administrator account enabled? are you sure it was trying the domain admin?

windows updates wont make it login as the admin account.

yes, if the domain admin had connected via rdp (or even another screen sharing software that allowed login/out reboot ability like teamviewer or vnc) it will show here if a successful login happened

The only way for that admin account to be in the user name box is if there was a successful login by the domain admin user. So whoever or however it was done may be moot as it is still likely that someone has logged in with that account on that pc
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
There are some things you can do as a check:

Log in as Administrator at each affected computer.
This login will confirm the password for Administrator.
If it's not changed then that's at least something.
Then change it.

Is RDP enabled?

Passwords are fairly easy to hack unless they are complex.  That's why there are password "scores" on some interfaces.  I like to use a combination of numerals (10) and letters (26) and upper/lower case mixed liberally (taking 26 to 52) and then you can add special characters in some interfaces for more.  Even this way there are 62 characters possible so you get N**62 possibilities which is too huge to search through in a lifetime.
See: www.passwordmeter.com or similar site to learn more and to try things.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
As a long-time IT Professional, the most important skill I have developed and consider to be my most valuable tool is Effective Troubleshooting. Step through my problem-solving procedure in this 10-step guide adapted from The Universal Troubleshooti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now