HolidayBuyer's Guide

Windows Legacy OS forum

General discussion

Security

by vernod / March 22, 2008 6:18 PM PDT

I have a Toshiba laptop with Windows XP Professional. One night, I left my laptop on so I could download a few things (I just close my lid and the broadband connection remains on ? when the lid is opened, there is no requirement to enter a password to log on or anything like that).

I was out of the office for a few days. But during that time, someone tried to access my laptop to print a document by inserting a pen drive into the USB port. He later claimed to a colleague that he could not access the laptop because it prompted him for a password, which is not possible normally since I did not password protect the computer when opening the lid. However, I went through the Event Viewer and noticed that Windows had downloaded and installed a security update the same night I left it on. Apparently, this required a system restart.

I thought I was lucky, because normally if the system is restarted, it will ask for a password to log on. However, when I looked at the Event Viewer in closer detail, I noticed that Windows Defender still conducted the daily scans even after the restart and when I looked at my AVG Antivirus log, it showed that the daily scheduled scans occurred even after the apparent system restart.

My questions are as follows:

1. When Windows initiates a restart, would it go to the screen where it asks me for my password or for a restart due to installation of a security update, does it take you directly to the desktop without asking for a log in password?

2. If it does ask for the password before logging in, then how can Windows Defender and AVG still run if not logged in? When I got back, I tried restarting my laptop moments before the scheduled daily AVG scan and just left the screen at the place where it prompts for the log in password (I did not enter it though). Then, after 20 minutes, I entered my password to log in to see if AVG had initiated and it turns out that it had not. Which leads me to believe that after the system was restarted due to the Windows security update, it automatically logged my back in without a password, and that is the only way AVG and Windows Defender could have run after that. If that is the case, I am worried about someone accessing my files and/or placing malicious software. I had run AVG antispyware and Panda Activescan after the incident, but it did not find anything. However, a few days later, I downloaded Spyware Doctor and it found Trojan-PWS.OnlineGames.KW which made me even more nervous.

Do I have anything to worry about?

Discussion is locked
You are posting a reply to: Security
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Security
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
My first thoughts...
by MarkFlax Forum moderator / March 22, 2008 10:07 PM PDT
In reply to: Security

Others here will be able to tell you better than me, but I do not believe that a restart can log you back in to Windows if you have a login password set, not even after any Windows Updates.

What I am not sure about is whether both Windows Defender and AVG have been loaded by the time the Windows logon screen appears. What I mean is, if the Windows environment continues to load up when the logon screen displays, (I think it does), does that allow utilities like Windows Defender and AVG to perform scans in the background.

When I turn my PC on and I eventually see the logon screen I have noticed that, if I logon immediately, my Desktop appears almost instantly. However, if I delay a few seconds my Desktop takes longer to load, as if Windows has become bored with waiting for me and has continued on to other tasks. The Desktop then has to wait for a chance, (an interrupt or something like that), before it will display.

Some utilities do load up. My ZoneAlarm firewall loads its TrueVector service almost immediately after POST to protect the system from hackers as the broadband connection connects before Windows loads.

However, your test surely was, when you returned to the laptop and opened the lid, was Windows fully loaded and functioning, or was it at the logon screen? If that colleague really does not have a password, and if there are no other accounts on the system that do not have a password, but Windows was fully loaded, then it seems my belief is false.

Nothing to do with me of course, but I would never leave my own computer on and unattended for such a long time. It seems your laptop was in an office environment? I wouldn't do that.

Mark

Collapse -
I also forgot to mention
by PudgyOne / March 22, 2008 10:32 PM PDT
In reply to: My first thoughts...

That you are responsible for what go on, while you are logged into the computer.

Suggestion

Put on a password when you walk away from your computer using the screen saver. If you cannot do this, due to your tech department disabling this feature, then lock the computer when you walk away. I press the Windows Key and L at the same time.

Since I use a shared computer at work, I always remember to log out when finished.

Remember do NOT do anything at work that you don't want others to see. The computer is property of the business you work for and can be accessed at anytime. Even if you delete some of the information, the information can be retained on the hard drive.


Rick

Collapse -
My thoughts ar
by PudgyOne / March 22, 2008 10:21 PM PDT
In reply to: Security

that after you download Windows Updates, the computer will NOT restart on its own. You have to manually restart it.

Second after I responded to your post,

http://forums.cnet.com/5208-6142_102-0.html?forumID=5&threadID=288850&messageID=2735907

I realize that you have a company computer. Company computers keep everything the IT department wants to keep. I guess that you don't want to go do your private information if your IT person is checking up on your activity.

Keep the work computer strictly for work.

Use you own personal computer for you own personal items. I separate work and personal. I keep work only on their computer. I never use the companies email address to send personal items. I also NEVER do anything link online banking and purchasing items on the work computer. It is shared and others may have downloaded something that can steal that information. The programs I suggested in the previous post are good, but only if you have unrestricted use.


Good Luck,


Rick

Collapse -
Ahh, and something else.
by MarkFlax Forum moderator / March 22, 2008 10:25 PM PDT
In reply to: My thoughts ar

Rick's comments and that office situation made me think of something else.

What about the office's IT administrator? If it is a works computer he/she probably has access. If they are checking why a laptop has been left on for a few days they may have done some checking.

Mark

Collapse -
Re: Security
by vernod / March 23, 2008 2:46 AM PDT

Well, it is a company computer - but its my company! So I did not think too much about someone else trying to access it (I know, stupid of me....)

I am confused - Mark indicated that the update would lead to an automatic restart and that would take me to the logon screen. Yet Rick says that it would need to be a manual restart. When I checked the event viewer, it said that a system restart was initiated (dont know if that means it was done). But I was downloading some stuff, and it seems to have stopped downloading around the same time that windows update is scheduled to look for updates. Could this mean that the system was indeed automatically restarted?

Oh, and when I did get back to my computer after this incident, I found that someone had turned the power off, so no way to tell if they were able to access the desktop or just turned if off in frustration!!!

Collapse -
Here's your questions.
by PudgyOne / March 23, 2008 4:53 AM PDT
In reply to: Re: Security

Do you have the computer set to support hibernation?

Control panel/Power options/hibernate checked

If so, it's possible the computer hibernated.

What power schemes are you using?

Control panel/Power options/Power schemes

Not locking the computer is asking for an invitation. I'd like to see what the boss does, when he's suppose to be working, wouldn't you.

Now small lesson on what's on your computer.

Download this to your desktop and click on it. If your virus program comes up and says it's a hacking tool, tell it to allow. Now you'll be able to see what others can find. Need a password or so? What websites were you at? This is minor. Remember hard drives usually keep information on them, even after the information is deleted. Most Police Departments use special tools to do this, as well as techs.

I like having the function to close the laptop and not having it shut down. My daughter and her friends are seen carrying them. I fixed theirs so they can carry them then open and get back to work.

Good practice is to lock your computer when you are away. My company does NOT trust me to be an unrestricted user. I am restricted there and I really don't care. It's for work. If I were unrestricted user, I'd add all the tools I mentioned in the Gmail post and I'd even throw in a hosts file. The hosts file would help keep some problems away. More on Hosts files here.


Hope this shed some light on this for you.

Oh, I almost forgot. Windows Updates will download and wait. They will wait for either you to install them or it will tell you they will install when the computer shuts down or it will tell you on the computer, Windows updates are ready, do you want to restart your computer, or something similar to that. So it looks like someone was in your computer.

Does XP Professional have a back door administrator account in the safe mode that's unprotected? If so, I'f suggest that you restart your computer and press F8 when you see the Toshiba screen. Click on the Administrator account if you can log right in, then go to control panel/users and put a password on it.


Rick

Collapse -
I agree
by MarkFlax Forum moderator / March 23, 2008 6:45 AM PDT
In reply to: Here's your questions.

with everything Rick says, and especially about the updates. I know that when I update my anti-virus definitions it then waits for 30 seconds for my input to continue, then continues itself after the 30 seconds if I do not respond, to implement the updates. But that does not involve a reboot, and I accept that Windows Updates are different. They just wait for the next restart and do not reboot the computer automatically.

Mark

Collapse -
Clarifications
by vernod / March 23, 2008 6:20 PM PDT
In reply to: I agree

Answer to your questions:

I do not have my computer set to hibernate

My power scheme is one whereby the monitor, hard disk, and system standyby is never triggered (ie. always on).

Regarding the automatic reboot after windows update, pls. see the following link (third paragraph under the installation heading) where it says that windows does do an automatic reboot for certain updates:

http://www.updatexp.com/windows-automatic-updates.html

Logs from event viewer (Application) indicating that there was an automatic restart:

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Update for Outlook 2003: Junk E-mail Filter (KB947944): OUTLFLTR' installed successfully

The Windows Installer initiated a system restart to complete or continue the configuration of 'Microsoft Office Professional Edition 2003'.

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Outlook 2003 (KB945432): OUTLOOK' installed successfully.

Product: Microsoft Office OneNote 2003 -- Configuration completed successfully.

Product: Microsoft Office OneNote 2003 - Update 'Security Update for Office 2003 (KB947355): MSO' installed successfully.

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Office 2003 (KB947355): MSO' installed successfully.

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Excel 2003 (KB943985): EXCEL' installed successfully.

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Windows saved user ADMINISTRATOR\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

The Windows Security Center Service has started.

In Event Viewer, under System, it shows that Windows Defender still ran at 11 AM (scheduled time) even after the restart (around 3AM the same day).


What do you think?

Collapse -
Last thing is to check the history
by PudgyOne / March 23, 2008 7:14 PM PDT
In reply to: Clarifications

Check the history for the date in question. Make sure the history is still there for the days before you left, unless you don't keep the history.

Personally, I don't think the computer restarted after a Windows Update on it's own, someone restarted it or shut it down. Then if they didn't have the password, were locked out.


Rick

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.