I have had this feeling for a while that someone is on my computer, not that I see the obvious signs of remote access nor is it frequent but sometimes it feels like my computer is being remotely accessed. The reasons to why I think its being remotely accessed are: Microsoft Edge has redirected me to a random website whenever I search anything (something among the lines of salsapet.info), but I resolved that by clearing everything in MS Edge. Once my mouse has randomly scrolled down, including youtube controls showing by itself without me moving my cursor at all (keep in mind it should only show if I actually move my mouse) Weird active connections found via 'netstat' command, Mouse slightly moving by itself on other applications. I have ran MSERT multiple times, did an offline scan via Microsoft Defender, checked through user accounts or any remote connections but I simply didn't find anything suspicious. I would be really glad if someone could help me with this, would very much appreciate it.

Did you check Event Viewer logs? Windows automatically audits logon events and logs every time you log into your device. Event Viewer will provide a long list of activities. Press the Windows Key on your keyboard or in the Search Box, type: eventvwr and click on the top search result. Press Enter to open. Go to Windows Logs > Security and look for any suspicious logon attempts. 4624 records as a Logon. 4672 records a Special Logon. 4634 will be listed when an account logs. Do you have Remote Access Enabled ? If so, disable it to prevent unauthorized users from connecting to your computer. Press the Windows Key on your keyboard or in the Search Box, type: SystemPropertiesRemote.exe (or sysdm.cpl) and click on the top search result Press Enter to access System Properties. In the Remote tab, ensure “ Don’t allow remote connections to this computer ” is selected. How To Check For Unauthorized Access To Your PC with Event Viewer Related Resources: How To Check If Someone Is Remotely Accessing Your Compute How to See Who Logged Into a Computer (and When) Signs to Tell If Someone Is Remotely Accessing Your Computer How to See Who Is Logged Into a Remote Computer How To Track Windows Computer and User Activity If Microsoft Defender Antivirus and Defender Offline cannot find any threats or finds but cannot remove threats, there are various secondary opinion scanners which can be used to supplement your existing antivirus. Emsisoft Emergency Kit (EEK) Malwarebytes Anti-Malware Sophos Scan & Clean AdwCleaner I provide a more detailed list of malware removal tools with scanning instructions in Supplementing your Anti-Virus Program with Anti-Malware Tools (Post #4)...just scroll down near the bottom of that post.

“Your IT Administrator Has Limited Access” Windows Security Error < - most likely due to Malwarebytes Malwarebytes has the capability to register in Windows Security , allowing users to configure Malwarebytes as their primary security solution or to run alongside their third party antivirus application. By default, Malwarebytes automatically decides whether or not to register itself with Windows Security Center settings as noted here (by exile360) in order for Windows to recognize it as security software. This means Windows Defender's real-time protection will be turned off. You can override this behavior in Malwarebytes > Settings > Security tab > Windows Security Center and choose to " Never register Malwarebytes in the Windows Action Centre "...by leaving that option unchecked. Register Malwarebytes with Windows Security Center You said "it simply turned itself back on", does that mean Microsoft Defender is working again?

I tried malwarebytes, but it sent me a notification saying my Defender was disabled. When I went there to turn it back on, it simply turned itself back on and said my IT Administrator has limited core access. I don't know whether this is normal, my account is an administrator account itself...what even is IT Administrator in this case? In the event viewer it says I have enumerated credentials.

Local Accounts are defined locally on a device and can be assigned rights and permissions on the device only Default local user accounts are built-in accounts that are created automatically when the operating system is installed and cannot be removed or deleted. Default local system accounts include: SYSTEM account is used by the operating system and by services running under Windows to perform tasks that require local system permissions. NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). LOCAL SERVICE account is a predefined local account with minimum privileges on the local computer and used by the service control manager...it presents anonymous credentials on the network. The term "impersonation" does not necessarily mean that your system is compromised. In Windows Security, WindowsIdentity.Impersonate Method is a feature that allows code to impersonate a different Windows user . More specifically it allows a service to use a client's identity to perform an action on behalf of a client. The server process can impersonate the client's security context on its local system. Event viewer can show the WindowsIdentity.ImpersonationLevel (WindowsIdentity class) for the current user. System Account names like DWM-1, DWM-2, UMFD-0, UMFD-3 can appear for system-initiated logons such as Desktop Window Manager and/or User Mode Font Driver processes. Did you run any of the scans I suggested?

For the event viewer, I have checked and see the following results: Most of special logons are from SYSTEM and DWM-4 with the Security ID being S-1-X and then numbers..but the DWM-4's last two Logon ID digits always randomize. Some logoffs show SYSTEM, my desktop username, and DWM-3 and UMFD-3, with all of their last two Logon ID digits randomized except for the SYSTEM one. When looking at my own logons recently, there are two of them: one without elevated token and one with an elevated token. Their Logon ID's are also randomized but not constantly (by this I mean it would just be the same ID's on every other logon list) There is something that says "Impersonation Level: Impersonation" specifically on the account with my desktop's username. There are special logons by the Administrator account, which is the one I use for this computer and the LogonID completely randomizes every logon. For Remote Access, no connections are allowed on this computer.

How and what exactly do I look for remote access programs or similar?

Anonymous

I have had this feeling for a while that someone is on my computer, not that I see the obvious signs of remote access nor is it frequent but sometimes it feels like my computer is being remotely accessed.

The reasons to why I think its being remotely accessed are:

Microsoft Edge has redirected me to a random website whenever I search anything (something among the lines of salsapet.info), but I resolved that by clearing everything in MS Edge.
Once my mouse has randomly scrolled down, including youtube controls showing by itself without me moving my cursor at all (keep in mind it should only show if I actually move my mouse)
Weird active connections found via 'netstat' command,
Mouse slightly moving by itself on other applications.

I have ran MSERT multiple times, did an offline scan via Microsoft Defender, checked through user accounts or any remote connections but I simply didn't find anything suspicious.

I would be really glad if someone could help me with this, would very much appreciate it.

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

quietman7 MVP Alumni 19,735 Volunteer Moderator

Did you check Event Viewer logs? Windows automatically audits logon events and logs every time you log into your device. Event Viewer will provide a long list of activities.

Press the Windows Key on your keyboard or in the Search Box, type: eventvwr and click on the top search result.
Press Enter to open.
Go to Windows Logs > Security and look for any suspicious logon attempts.
4624 records as a Logon.
4672 records a Special Logon.
4634 will be listed when an account logs.

Do you have Remote Access Enabled? If so, disable it to prevent unauthorized users from connecting to your computer.

Press the Windows Key on your keyboard or in the Search Box, type: SystemPropertiesRemote.exe (or sysdm.cpl) and click on the top search result
Press Enter to access System Properties.
In the Remote tab, ensure “Don’t allow remote connections to this computer” is selected.

How To Check For Unauthorized Access To Your PC with Event Viewer

Related Resources:

If Microsoft Defender Antivirus and Defender Offline cannot find any threats or finds but cannot remove threats, there are various secondary opinion scanners which can be used to supplement your existing antivirus.

I provide a more detailed list of malware removal tools with scanning instructions in Supplementing your Anti-Virus Program with Anti-Malware Tools (Post #4)...just scroll down near the bottom of that post.

0 comments

8 additional answers

quietman7 MVP Alumni 19,735 Reputation points Volunteer Moderator

2025-06-17T22:28:11+00:00
“Your IT Administrator Has Limited Access” Windows Security Error < - most likely due to Malwarebytes

Malwarebytes has the capability to register in Windows Security, allowing users to configure Malwarebytes as their primary security solution or to run alongside their third party antivirus application. By default, Malwarebytes automatically decides whether or not to register itself with Windows Security Center settings as noted here (by exile360) in order for Windows to recognize it as security software. This means Windows Defender's real-time protection will be turned off. You can override this behavior in Malwarebytes > Settings > Security tab > Windows Security Center and choose to "Never register Malwarebytes in the Windows Action Centre"...by leaving that option unchecked.
- Register Malwarebytes with Windows Security Center
You said "it simply turned itself back on", does that mean Microsoft Defender is working again?
Was this answer helpful?

0 comments No comments
Anonymous

2025-06-17T22:10:18+00:00

I tried malwarebytes, but it sent me a notification saying my Defender was disabled. When I went there to turn it back on, it simply turned itself back on and said my IT Administrator has limited core access.

I don't know whether this is normal, my account is an administrator account itself...what even is IT Administrator in this case? In the event viewer it says I have enumerated credentials.
Was this answer helpful?

0 comments No comments
quietman7 MVP Alumni 19,735 Reputation points Volunteer Moderator

2025-06-17T22:07:04+00:00
Local Accounts are defined locally on a device and can be assigned rights and permissions on the device only
Default local user accounts are built-in accounts that are created automatically when the operating system is installed and cannot be removed or deleted.

Default local system accounts include:
- SYSTEM account is used by the operating system and by services running under Windows to perform tasks that require local system permissions.
- NETWORK SERVICE account is a predefined local account used by the service control manager (SCM).
- LOCAL SERVICE account is a predefined local account with minimum privileges on the local computer and used by the service control manager...it presents anonymous credentials on the network.
The term "impersonation" does not necessarily mean that your system is compromised. In Windows Security, WindowsIdentity.Impersonate Method is a feature that allows code to impersonate a different Windows user. More specifically it allows a service to use a client's identity to perform an action on behalf of a client. The server process can impersonate the client's security context on its local system. Event viewer can show the WindowsIdentity.ImpersonationLevel (WindowsIdentity class) for the current user.

System Account names like DWM-1, DWM-2, UMFD-0, UMFD-3 can appear for system-initiated logons such as Desktop Window Manager and/or User Mode Font Driver processes.

Did you run any of the scans I suggested?
Was this answer helpful?

0 comments No comments
Anonymous

2025-06-17T21:32:17+00:00
For the event viewer, I have checked and see the following results:
- Most of special logons are from SYSTEM and DWM-4 with the Security ID being S-1-X and then numbers..but the DWM-4's last two Logon ID digits always randomize.
- Some logoffs show SYSTEM, my desktop username, and DWM-3 and UMFD-3, with all of their last two Logon ID digits randomized except for the SYSTEM one.
- When looking at my own logons recently, there are two of them: one without elevated token and one with an elevated token. Their Logon ID's are also randomized but not constantly (by this I mean it would just be the same ID's on every other logon list)
There is something that says "Impersonation Level: Impersonation" specifically on the account with my desktop's username.
- There are special logons by the Administrator account, which is the one I use for this computer and the LogonID completely randomizes every logon.
For Remote Access, no connections are allowed on this computer.
Was this answer helpful?

0 comments No comments

Share via

How and what exactly do I look for remote access programs or similar?

8 additional answers