Out of nowhere a new user folder shows up in C:\User. Is it possible remotely even though Remote Desktop Connection is turned off?

Panchali Mukherjee 1

Hi we have a Windows Server 2019 with Active Directory. I am working on a new laptop. Until now in the C:\User folder was only my name, Default and another name. But suddenly since Tuesday another username shows up in the C:\User folder. Does this mean this person logged on to my laptop manually or can a profile name be created in C:\User even if that person did something remotely over Powershell. Just FYI Remote Desktop Connection is turned off on my laptop.

3 answers

Dave Patrick 426.1K Reputation points MVP

2022-10-28T13:18:14.297+00:00

Can a user folder be created in the C:\User folder if they were doing some updates over the network?

I suppose anything is possible. Do you see ntuser.dat? If so then someone logged on and the file timestamp should tell you when they last logged on.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

1 person found this answer helpful.
Panchali Mukherjee 1 Reputation point

2022-10-28T13:58:12.613+00:00

Yes, there is a ntuser.dat and the date of modification is 25.10.2022 (Tuesday). Does that mean when I was not in my office they came in and logged into my laptop with their username?

Dave Patrick 426.1K Reputation points MVP

2022-10-28T13:59:51.597+00:00

Sure looks that way.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Dave Patrick 426.1K Reputation points MVP

2022-10-28T14:44:42.907+00:00

Just a reminder, please don't forget to close up the thread by

Dave Patrick 426.1K Reputation points MVP

2022-10-29T13:16:45.153+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

Panchali Mukherjee 1 Reputation point

2022-10-30T09:06:33.027+00:00

Not yet, I just want to be certain before I ask this co-worker anything or take this any further. We have a strict rule at work to not look into anyone's computer without first confirming that with them so I need to get to the bottom of this.

Dave Patrick 426.1K Reputation points MVP

2022-11-01T14:58:01.89+00:00

Just a reminder, please don't forget to close up the thread by

Dave Patrick 426.1K Reputation points MVP

2022-11-02T12:21:36.043+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--
Sign in to comment
Dave Patrick 426.1K Reputation points MVP

2022-10-28T13:10:20.71+00:00

Not much to go on but most likely is the user has logged on to the laptop locally or remotely.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.
Panchali Mukherjee 1 Reputation point

2022-10-28T13:15:07.067+00:00

Remote Desktop Connection is turned off. Then can they remotely login to the PC? If so, how? Can a user folder be created in the C:\User folder if they were doing some updates over the network?

If you need any further information please ask, I just don't know what information I should provide?
Sign in to comment
Zain Choudry 6 Reputation points

2022-10-30T07:40:01.063+00:00

There are other ways a user can log into your machine, a few examples are psexec or remote PowerShell. However, they would most likely need to be local administrator to do this.

I would look at the Windows Security Event Logs to see if there's any clues to what might have happened.

A few questions might help also.

Is the computer added to a domain? Is the new profile a domain user? If it's not added to a domain then is the user a local admin on the computer? You can check this using computer management.
Please sign in to rate this answer.
Panchali Mukherjee 1 Reputation point

2022-10-30T08:23:39.187+00:00

Yes, the computer is in a domain and the new profile is a domain user. In the event log there was a logon, special logon and logoff from this user. But there has been logon, special logon and logoff events from that user even 2 days ago, but the ntuser.dat timestamp hasn't changed from the day when the suspicious event occurred. I also checked on other PCs in the domain, when these logon logoffs happened on their PCs but this user wasn't on the PC in person the date on the ntuser.dat didn't change. Do you think the ntuser.dat can be affected if the person was just doing updates in the background using PowerShell? I would also like to point out that Remote Desktop Connection is turned off.

Zain Choudry 6 Reputation points

2022-10-31T19:42:20.3+00:00

It's possible to remote PowerShell into a computer where Remote Desktop connection is disabled. It could also be a scheduled task if it happens at the same time every day.

It could be your IT performing application updates on the laptop, depending on the tool it might leave a profile behind.

Does it have a predictable pattern? There are some things you can do to log the network connections to your laptop so you might be able to find out where it's coming from. The most obvious choice that comes to mind is ProcMon: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

In summary - this is one of those things that you'll need to dig a bit deeper with.

Panchali Mukherjee 1 Reputation point

2022-11-02T11:09:58.46+00:00

Hi, I looked into the event manager and it is not a scheduled event. This was a one off incident. There are other log on and log off on some other dates, however, the profile didn't update and the date on the ntuser.dat didn't change on those occasions. What would this imply? Can you infer whether the action could be intentional and malicious or do you think no malicious intents were behind this attempt?
Sign in to comment