How to tell if someone remoted onto my computer
I was working over vpn on my VM Ware laptop, logged onto a server transferring some files. Suddenly the connection ended and the session was gone. Since I was logged in, now Im targeted for turning the server off, but I NEVER touched it after connecting. Is there any way to tell if someone remoted in and shut that server down?
Thank you,
Mark88
Thank you,
Mark88
Check your syslog each comment is time stamped so you search until find what you're looking for.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
and you guys are saying on the server, not on my box, correct?
Mark88
Mark88
If it happened on the server, you need to check the shutdown Event Log to see who did it
Otherwise, something you did in the transfer affected things - I am not sure how.
Otherwise, something you did in the transfer affected things - I am not sure how.
ASKER
I need to look deeper than just who shut it down, b/c I was logged on moving some files and it suddenly shut down on me. Im trying to figure out why did that. There's gotta be a log somewhere that tells what happened. I was in the dang restroom when it shut down.
The event viewer will have recorded the shutdown and that will have the time for sure and possibly the user
ASKER
Oh it shows the user. But I didnt shut it down.
Thats why Im looking deeper.
Thats why Im looking deeper.
If you found the User32 event, then look at the eventlogs just before this one. some of the logs might have the answer.
eg. WindowsUpdateClient:
Restart Required: To complete the installation of the following updates, the computer must be restarted.
or another User32.
The process Explorer.EXE has initiated the restart of computer SERVER on behalf of user DOMAIN\User for the following reason: Operating System: Recovery (Planned)
It might just have been Windows Update that force the computer to shutdown/restart.
eg. WindowsUpdateClient:
Restart Required: To complete the installation of the following updates, the computer must be restarted.
or another User32.
The process Explorer.EXE has initiated the restart of computer SERVER on behalf of user DOMAIN\User for the following reason: Operating System: Recovery (Planned)
It might just have been Windows Update that force the computer to shutdown/restart.
Oh it shows the user. But I didn't shut it down.
Who is the user?
If it was you, then what was in the file you were transferring.
Who is the user?
If it was you, then what was in the file you were transferring.
ASKER
Just logs
Then if you were certain you did not make a mistake, then someone using your user name shut it down.
If the server is running properly right now, and sits on a UPS, it is unlikely to have had a hardware problem just when you were using it. It IS on a UPS, correct?
If the server is running properly right now, and sits on a UPS, it is unlikely to have had a hardware problem just when you were using it. It IS on a UPS, correct?
ASKER
I dont know. It's in another state. These are all hyperV's
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: Lasse Bodilsen (https:#a42352038)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: Lasse Bodilsen (https:#a42352038)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
Did the files being transferred have a file with a shutdown command? That possibly could happen.