Please click the link below for your operating system to download the TSG SysInfo Utility. Click on "Save File" then double-click the file to run it. Copy and paste the report in your initial post. Windows 7 and later (downloads a file named tsginfo.exe) | Windows XP (downloads a file named SysInfo.exe)

Controlling Another Computer

1715 Views 14 Replies 3 Participants Last post by dmccoy, Dec 10, 2017

Panther1310

Discussion Starter · Dec 9, 2017

Hi,

Is it possible for someone to use an API to control all your computer on your network?

Elaine

Save

Status: Not open for further replies.

1 - 15 of 15 Posts

lunarlander

· #2 · Dec 9, 2017

Remote admin packages are abound: teamviewer, logmein, VNC ...

Save

I've just found a file migrated called shell unlock

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Sediment</Author>
<Description>USO Scan upon Unlock</Description>
<URI>\Microsoft\Windows\rempl\shell-unlock</URI>
</RegistrationInfo>
<Triggers>
<SessionStateChangeTrigger>
<Enabled>true</Enabled>
<StateChange>SessionUnlock</StateChange>
</SessionStateChangeTrigger>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[Provider[@Name='Microsoft-Windows-NetworkProfile'] and EventID=10000]]</Select></Query></QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>6</Priority>
</Settings>
<Actions Context="LocalSystem">
<Exec>
<Command>%ProgramFiles%\rempl\remsh.exe</Command>
<Arguments>/RunUsoScanOnly</Arguments>
</Exec>
</Actions>
</Task>

is that normal?

See less See more

Save

Panther1310

Discussion Starter · #4 · Dec 9, 2017

where would I look on my files to find if there is a remote admin?

Save

lunarlander

· #5 · Dec 9, 2017

Most remote admin programs need to start up upon boot. Go download AutoRuns from MS SysInternals:

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

It will show you almost all programs in the registry that start up automatically. I remember there is a right click choice to check a file against VirusTotal. Check for files that look familiar but spelt wrong, like 'svchosts' instead of 'svchost'

Save

Panther1310

Discussion Starter · #6 · Dec 9, 2017

Colorfulness Rectangle Font Parallel Screenshot

Azure Rectangle Font Screenshot Parallel

Rectangle Font Screenshot Parallel Software

Colorfulness Rectangle Font Line Screenshot

Product Rectangle Font Screenshot Software

Colorfulness Rectangle Font Screenshot Parallel

Rectangle Font Screenshot Software Parallel

See less See more

Save

Panther1310

Discussion Starter · #7 · Dec 9, 2017

See less See more

Save

Panther1310

Discussion Starter · #8 · Dec 9, 2017

iv got 4 files called autorun

heres the next

Rectangle Font Screenshot Parallel Number

Rectangle Font Screenshot Software Technology

See less See more

Save

Panther1310

Discussion Starter · #9 · Dec 9, 2017

can you let me know if theres anything there or if you still need to see more.

Thanks for your help

Save

dmccoy

· #10 · Dec 9, 2017

It would be much easier to help you if you upload the file rather then post all the screenshots

1. Make sure Hide Microsoft Entries is Checked Under the Options Menu
2. After Scanning is Finished
3. Go to File then Save
4. Save as AutoRuns.am file or as Autoruns.txt to known location like your Desktop
5. Upload file to your next reply. You may have to compress the file to .zip before uploading if you use .am extension.

Save

Panther1310

Discussion Starter · #11 · Dec 10, 2017

thanks dckeks,

i'll do that

Save

Panther1310

Discussion Starter · #12 · Dec 10, 2017

this is what appears when I try and save it. I am the administrator.

Rectangle Screenshot Font Computer Operating system

See less See more

Save

Panther1310

Discussion Starter · #13 · Dec 10, 2017

iv just found this when looking for administrator settings

Photograph Rectangle Font Screenshot Line

See less See more

Save

lunarlander

· #14 · Dec 10, 2017 (Edited by Moderator)

That account unknown can be the result of you previously deleting an account. When you delete an account, the permissions for it remains embedded in files which that account used to be able to access.

Don't ask me to go thru the Autoruns screen shots for you. I just save a baseline and compare them.

Save

dmccoy

· #15 · Dec 10, 2017

Yes! You will either have to update the correct Permissions or you can try saving to desktop

Save

1 - 15 of 15 Posts

Status: Not open for further replies.

Top Contributors this Month