Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows XP Login Anomoly

Posted on 2012-03-12
7
Medium Priority
?
268 Views
Last Modified: 2012-08-14
Hello,

Noted a strange incident on a network last week.  Several users noted that their computers restarted and when the systems rebooted, the username showed the "Administrator" account instead of their default user name.  I suspect hacking but am curious if perhaps a new windows update or SR or something might have caused this.

The workstations are running Windows XP SR3 and they are part of a windows 2003 domain.
0
Comment
Question by:SRC-S1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 4

Expert Comment

by:Neal58
ID: 37711025
Has anyone been logging in as admin on these pcs? check the event logs on a couple to see who's logged in and it may be worth securing your administrator login!
0
 
LVL 1

Author Comment

by:SRC-S1
ID: 37711107
Hey Neal58,

Great thought but I am told that the administrator, neither the admin account, is sued on these workstations. According to in-house IT, at around the same time, three workstations restrated and when they came back up the administrator account was in the username....this typically only shows when the administrator account, either locally or via RDP, was so logged on.

Quite strange for sure.
0
 
LVL 6

Expert Comment

by:xeroxzerox
ID: 37711460
Have u check the all user name in server.what it is showing on server.
Are all the users name on server are the same or replaced too ?

Are user able to login his user name in system or not? if no! what error occured?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37711681
Well, first it sounds like the login setup on those computers is the Classic Logon screen that has a blank for the user and a blank for the password.  Is that right?

Then, this screen comes up with the last username in the first blank.

I wonder if there wasn't an upgrade or change pushed from the server that required a logon?  If this happened, and particularly if it was automated, then maybe nobody knows?  Or possibly a Windows update?  

If the Administrator account "is not used" then it's also very possible that the Administrator password is [blank].  If that's the case then it would be easier for system-level push administration operations.  And, *that* may be somewhat transparent to the system administrators.

I do think it's relatively safe to say or surmise that an Administrator logon did happen on those computers.
0
 
LVL 1

Author Comment

by:SRC-S1
ID: 37715481
Thanks all...so far still hoping for a reasonable explanation....

I am assured that the domain administartor account has not logged in to these computers in some time (months).  Further, as windows only shows the last successful logged on user in the username field, this indiactes that the domain administrator account was involved here.

Also, the domain administrator account does NOT have a blank password.

Further, one would expect to see this anomoly if, perhaps, the domain administartor account was successfully connected via RDP and a froced shutdown or restart was done, wherein the domain administrator would in fact be the last successful login.  Combined with the fact that the computers restarted, does sound to be along the lines of hacking and vandalism or annoyance to say the least.

Am hoping for alternate explanations such as perhaps a very recent widnows update might demoinstarte such a symptom...not seeing it for any otehr clients which makes that very unlikely.

Again, appreciate the wisdom and feedback in this source and hopeful that someone might have more thoughts.
0
 
LVL 4

Accepted Solution

by:
Neal58 earned 2000 total points
ID: 37770542
does the local pc have the administrator account enabled? are you sure it was trying the domain admin?

windows updates wont make it login as the admin account.

yes, if the domain admin had connected via rdp (or even another screen sharing software that allowed login/out reboot ability like teamviewer or vnc) it will show here if a successful login happened

The only way for that admin account to be in the user name box is if there was a successful login by the domain admin user. So whoever or however it was done may be moot as it is still likely that someone has logged in with that account on that pc
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37773078
There are some things you can do as a check:

Log in as Administrator at each affected computer.
This login will confirm the password for Administrator.
If it's not changed then that's at least something.
Then change it.

Is RDP enabled?

Passwords are fairly easy to hack unless they are complex.  That's why there are password "scores" on some interfaces.  I like to use a combination of numerals (10) and letters (26) and upper/lower case mixed liberally (taking 26 to 52) and then you can add special characters in some interfaces for more.  Even this way there are 62 characters possible so you get N**62 possibilities which is too huge to search through in a lifetime.
See: www.passwordmeter.com or similar site to learn more and to try things.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cybercriminals to create command-and-control (C&C) communications infrastructures for their malw…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question