“control userpasswords2” in Run box












2















When a home user woke their laptop (HP with Windows 10, Office, Defender, Chrome, a few games) this morning, it went straight to the desktop (no password prompt) and the Run command box was open with "control userpasswords2" in it. Nothing else was open.



The computer was used yesterday for routine web surfing, then lid closed. No one had physical access overnight (let's assume a Mission Impossible style break-in did not occur).



Any ideas how that got there, or what to look for? Is there some macro that might cause this? Or is it a remote intrusion?






windows-10 laptop security user-accounts







share|improve this question


















  • 1





    So, you caught it before someone locked you out of your own system, but they probably also created an admin account for themselves. A bet is that the system isn't set to actually -sleep- when you close the lid, and you don't have any security software running because you figure you don't need it. I sure hope you didn't also have credit card numbers written into some plain-text file.

    – Debra
    Feb 5 at 3:58











  • Adding to all this, the information given and the assumptions that can reasonably drawn from them strongly indicate that your organization needs to take security much more seriously and should likely pay good money to find and retain qualified individuals or services that can help fill this need for you. This time you may have gotten off easily, and it would be far better to take this gentle warning and fix the problems than it would be to experience a full breach the next time and hurt people and your organization if you fail to take those necessary precautions.

    – music2myear
    Feb 5 at 16:57











  • To clarify: this is a non-business laptop belonging to an acquaintance who I am helping outside of work.

    – Foo Bar
    Feb 5 at 21:23
















2















When a home user woke their laptop (HP with Windows 10, Office, Defender, Chrome, a few games) this morning, it went straight to the desktop (no password prompt) and the Run command box was open with "control userpasswords2" in it. Nothing else was open.



The computer was used yesterday for routine web surfing, then lid closed. No one had physical access overnight (let's assume a Mission Impossible style break-in did not occur).



Any ideas how that got there, or what to look for? Is there some macro that might cause this? Or is it a remote intrusion?






windows-10 laptop security user-accounts







share|improve this question


















  • 1





    So, you caught it before someone locked you out of your own system, but they probably also created an admin account for themselves. A bet is that the system isn't set to actually -sleep- when you close the lid, and you don't have any security software running because you figure you don't need it. I sure hope you didn't also have credit card numbers written into some plain-text file.

    – Debra
    Feb 5 at 3:58











  • Adding to all this, the information given and the assumptions that can reasonably drawn from them strongly indicate that your organization needs to take security much more seriously and should likely pay good money to find and retain qualified individuals or services that can help fill this need for you. This time you may have gotten off easily, and it would be far better to take this gentle warning and fix the problems than it would be to experience a full breach the next time and hurt people and your organization if you fail to take those necessary precautions.

    – music2myear
    Feb 5 at 16:57











  • To clarify: this is a non-business laptop belonging to an acquaintance who I am helping outside of work.

    – Foo Bar
    Feb 5 at 21:23














2












2








2








When a home user woke their laptop (HP with Windows 10, Office, Defender, Chrome, a few games) this morning, it went straight to the desktop (no password prompt) and the Run command box was open with "control userpasswords2" in it. Nothing else was open.



The computer was used yesterday for routine web surfing, then lid closed. No one had physical access overnight (let's assume a Mission Impossible style break-in did not occur).



Any ideas how that got there, or what to look for? Is there some macro that might cause this? Or is it a remote intrusion?






windows-10 laptop security user-accounts







share|improve this question














When a home user woke their laptop (HP with Windows 10, Office, Defender, Chrome, a few games) this morning, it went straight to the desktop (no password prompt) and the Run command box was open with "control userpasswords2" in it. Nothing else was open.



The computer was used yesterday for routine web surfing, then lid closed. No one had physical access overnight (let's assume a Mission Impossible style break-in did not occur).



Any ideas how that got there, or what to look for? Is there some macro that might cause this? Or is it a remote intrusion?






windows-10 laptop security user-accounts




windows-10 laptop security user-accounts






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 28 at 17:48









Foo BarFoo Bar

326316




326316








  • 1





    So, you caught it before someone locked you out of your own system, but they probably also created an admin account for themselves. A bet is that the system isn't set to actually -sleep- when you close the lid, and you don't have any security software running because you figure you don't need it. I sure hope you didn't also have credit card numbers written into some plain-text file.

    – Debra
    Feb 5 at 3:58











  • Adding to all this, the information given and the assumptions that can reasonably drawn from them strongly indicate that your organization needs to take security much more seriously and should likely pay good money to find and retain qualified individuals or services that can help fill this need for you. This time you may have gotten off easily, and it would be far better to take this gentle warning and fix the problems than it would be to experience a full breach the next time and hurt people and your organization if you fail to take those necessary precautions.

    – music2myear
    Feb 5 at 16:57











  • To clarify: this is a non-business laptop belonging to an acquaintance who I am helping outside of work.

    – Foo Bar
    Feb 5 at 21:23














  • 1





    So, you caught it before someone locked you out of your own system, but they probably also created an admin account for themselves. A bet is that the system isn't set to actually -sleep- when you close the lid, and you don't have any security software running because you figure you don't need it. I sure hope you didn't also have credit card numbers written into some plain-text file.

    – Debra
    Feb 5 at 3:58











  • Adding to all this, the information given and the assumptions that can reasonably drawn from them strongly indicate that your organization needs to take security much more seriously and should likely pay good money to find and retain qualified individuals or services that can help fill this need for you. This time you may have gotten off easily, and it would be far better to take this gentle warning and fix the problems than it would be to experience a full breach the next time and hurt people and your organization if you fail to take those necessary precautions.

    – music2myear
    Feb 5 at 16:57











  • To clarify: this is a non-business laptop belonging to an acquaintance who I am helping outside of work.

    – Foo Bar
    Feb 5 at 21:23








1




1





So, you caught it before someone locked you out of your own system, but they probably also created an admin account for themselves. A bet is that the system isn't set to actually -sleep- when you close the lid, and you don't have any security software running because you figure you don't need it. I sure hope you didn't also have credit card numbers written into some plain-text file.

– Debra
Feb 5 at 3:58





So, you caught it before someone locked you out of your own system, but they probably also created an admin account for themselves. A bet is that the system isn't set to actually -sleep- when you close the lid, and you don't have any security software running because you figure you don't need it. I sure hope you didn't also have credit card numbers written into some plain-text file.

– Debra
Feb 5 at 3:58













Adding to all this, the information given and the assumptions that can reasonably drawn from them strongly indicate that your organization needs to take security much more seriously and should likely pay good money to find and retain qualified individuals or services that can help fill this need for you. This time you may have gotten off easily, and it would be far better to take this gentle warning and fix the problems than it would be to experience a full breach the next time and hurt people and your organization if you fail to take those necessary precautions.

– music2myear
Feb 5 at 16:57





Adding to all this, the information given and the assumptions that can reasonably drawn from them strongly indicate that your organization needs to take security much more seriously and should likely pay good money to find and retain qualified individuals or services that can help fill this need for you. This time you may have gotten off easily, and it would be far better to take this gentle warning and fix the problems than it would be to experience a full breach the next time and hurt people and your organization if you fail to take those necessary precautions.

– music2myear
Feb 5 at 16:57













To clarify: this is a non-business laptop belonging to an acquaintance who I am helping outside of work.

– Foo Bar
Feb 5 at 21:23





To clarify: this is a non-business laptop belonging to an acquaintance who I am helping outside of work.

– Foo Bar
Feb 5 at 21:23










1 Answer
1






active

oldest

votes


















2














Your main problem is not what the command line had, but the fact that if that was caused by somebody then they could have done anything (pretty much) that the user account could do - the entry route could have been any vulnerability, or anything that you clicked on - without forensic investigation you can't pin it down.



So, from a basic security best practices perspective you should:




  • Format the disk

  • Reinstall

  • Restore data from backup


If you have network logs you can tell everyone through them to see what happened, but your question makes me think you might not.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399357%2fcontrol-userpasswords2-in-run-box%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Your main problem is not what the command line had, but the fact that if that was caused by somebody then they could have done anything (pretty much) that the user account could do - the entry route could have been any vulnerability, or anything that you clicked on - without forensic investigation you can't pin it down.



    So, from a basic security best practices perspective you should:




    • Format the disk

    • Reinstall

    • Restore data from backup


    If you have network logs you can tell everyone through them to see what happened, but your question makes me think you might not.






    share|improve this answer




























      2














      Your main problem is not what the command line had, but the fact that if that was caused by somebody then they could have done anything (pretty much) that the user account could do - the entry route could have been any vulnerability, or anything that you clicked on - without forensic investigation you can't pin it down.



      So, from a basic security best practices perspective you should:




      • Format the disk

      • Reinstall

      • Restore data from backup


      If you have network logs you can tell everyone through them to see what happened, but your question makes me think you might not.






      share|improve this answer


























        2












        2








        2







        Your main problem is not what the command line had, but the fact that if that was caused by somebody then they could have done anything (pretty much) that the user account could do - the entry route could have been any vulnerability, or anything that you clicked on - without forensic investigation you can't pin it down.



        So, from a basic security best practices perspective you should:




        • Format the disk

        • Reinstall

        • Restore data from backup


        If you have network logs you can tell everyone through them to see what happened, but your question makes me think you might not.






        share|improve this answer













        Your main problem is not what the command line had, but the fact that if that was caused by somebody then they could have done anything (pretty much) that the user account could do - the entry route could have been any vulnerability, or anything that you clicked on - without forensic investigation you can't pin it down.



        So, from a basic security best practices perspective you should:




        • Format the disk

        • Reinstall

        • Restore data from backup


        If you have network logs you can tell everyone through them to see what happened, but your question makes me think you might not.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 28 at 18:05









        Rory AlsopRory Alsop

        3,0471530




        3,0471530






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399357%2fcontrol-userpasswords2-in-run-box%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Index of /

            This page is only for reference, If you need detailed information, please check here
            Read more

            Tribalistas

            Image
              Nota: Para o álbum homônimo, veja Tribalistas (álbum de 2002). Para o segundo álbum homônimo, veja Tribalistas (álbum de 2017). Para o tipo de organização tribal, veja Tribalismo. Tribalistas Informação geral Origem Salvador e Rio de Janeiro País   Brasil Gênero(s) MPB Pop Samba Período em atividade 2002–2004 2017–atualmente Gravadora(s) EMI Phonomotor Records Universal Music Afiliação(ões) Dadi Pretinho da Serrinha Margareth Menezes Integrantes Arnaldo Antunes Carlinhos Brown Marisa Monte Página oficial www2.uol.com.br/tribalistas/ ...
            Read more

            Listed building

            Image
            Listed building (literalmente: prédio listado ) é toda estrutura protegida por lei pelo complexo sistema de tombamento do Reino Unido. Um listed building é qualquer estrutura oficialmente designada como tendo especial interesse arquitetônico, histórico ou cultural. É um estatuto amplamente usado, aplicado a centenas de milhares de estruturas. Estruturas tombadas não podem ser alteradas sem permissão especial, e desfrutam de isenções fiscais e outros benefícios. Cada um dos países do Reino Unido trata tombamento de forma diferente: Índice 1 Inglaterra 2 País de Gales 3 Irlanda do Norte 4 Escócia 5 Referências Inglaterra | O Palácio de Buckingham, Londres. As estruturas tombadas são listadas no Statutory List of Buildings of Special Architectural or Historic Interest , e incluem campos, sinais de trânsito, piers e áreas geográficas. A principal legislação pertinente é o Ancient Monuments and Archaeological Areas Act 1979 , [ 1 ] embora legisla...
            Read more