How to tell if someone remoted onto my computer

I was working over vpn on my VM Ware laptop, logged onto a server transferring some files.  Suddenly the connection ended and the session was gone.  Since I was logged in, now Im targeted for turning the server off, but I NEVER touched it after connecting.  Is there any way to tell if someone remoted in and shut that server down?
Thank you,
Mark88
Mark O'BrienDispatch Software Support and Server AdministrationAsked:
Who is Participating?
 
Lasse BodilsenSystem AdministratorCommented:
open event viewer and go to Windows Logs - System.

right click system and find.   then search for "shutdown" until you get an event from "source: User32"

should look something like this:
The process C:\Windows\system32\winlogon.exe (SERVER) has initiated the restart of computer SERVER on behalf of user DOMAIN\User for the following reason: No title for this reason could be found
 Reason Code: 0x500ff
 Shutdown Type: restart
 Comment:
0
 
JohnBusiness Consultant (Owner)Commented:
Look in the server sessions to see who logged in recently if you did not end your own session. There should be another session that was used.

Did the files being transferred have a file with a shutdown command? That possibly could happen.
0
 
Natty GregIn Theory (IT)Commented:
Check your syslog  each comment is time stamped so you search until find what you're looking for.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
and you guys are saying on the server, not on my box, correct?
Mark88
0
 
JohnBusiness Consultant (Owner)Commented:
If it happened on the server, you need to check the shutdown Event Log to see who did it

Otherwise, something you did in the transfer affected things - I am not sure how.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
I need to look deeper than just who shut it down, b/c I was logged on moving some files and it suddenly shut down on me.  Im trying to figure out why did that.   There's gotta be a log somewhere that tells what happened.  I was in the dang restroom when it shut down.
0
 
JohnBusiness Consultant (Owner)Commented:
The event viewer will have recorded the shutdown and that will have the time for sure and possibly the user
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Oh it shows the user.  But I didnt shut it down.
Thats why Im looking deeper.
0
 
Lasse BodilsenSystem AdministratorCommented:
If you found the User32 event, then look at the eventlogs just before this one.  some of the logs might have the answer.

 eg. WindowsUpdateClient:
 Restart Required: To complete the installation of the following updates, the computer must be restarted.

 or another User32.
 The process Explorer.EXE has initiated the restart of computer SERVER on behalf of user DOMAIN\User for the following reason: Operating System: Recovery (Planned)

 It might just have been Windows Update that force the computer to shutdown/restart.
0
 
JohnBusiness Consultant (Owner)Commented:
Oh it shows the user.  But I didn't shut it down.  

Who is the user?

If it was you, then what was in the file you were transferring.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Just logs
0
 
JohnBusiness Consultant (Owner)Commented:
Then if you were certain you did not make a mistake, then someone using your user name shut it down.

If the server is running properly right now, and sits on a UPS, it is unlikely to have had a hardware problem just when you were using it. It IS on a UPS, correct?
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
I dont know.  It's in another state.  These are all hyperV's
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Lasse Bodilsen (https:#a42352038)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.