Re: User password created by hacker

From: Matt Scarborough (vexversa_at_verizon.net)
Date: 05/21/03 

Date: Wed, 21 May 2003 18:34:36 +0000

On Sun, 18 May 2003 16:54:46 -0700, Kimberly wrote
<017e01c31d98$dc725220$a601280a@phx.gbl>
> I have a computer set up with a password for the owner.
> I recently found out that someone who once had access to
> my computer has somehow created their own account and
> password on my computer but it does not show up under the
> user account listed in control panel. Can you tell me
> how they did that?

There are several tools that facilitate this. Microsoft's TweakUI can hide
accounts like this. There are several accounts Windows XP hides from the
Administrator and from other users at the logon screen and when using
Control Panel | Users and Passwords.

By default, any account that begins with "IUSR_", such as "IUSR_hidden" is
also hidden from the Administrator in Windows XP. This is to make sure that
when Internet Information Server 6.0 is installed to Windows XP that the
default IUSR_<computername> account is hidden from the Administrator in
Control Panel | Users and Passwords. Unfortunately this has the side effect
that any account created that begins with "IUSR_" will also be hidden.

As other's have stated, looking in Computer Management for (right-click "My
Computer" and choose manage) or manually launching "Local Users and Groups"
is a better way to view existing users.

> I can look under the computer
> management-security log and see where they got help via
> remote access. please help, also if you can tell me how
> that I can securely lock my computer so they can not do
> that again.

A user who can access the computer as Administrator and run TweakUI can
create and hide accounts from Control Panel | Users and Passwords.
Ultimately we must prevent users from gaining physical access to a computer
to prevent this mischief.

Matt Scarborough 2003-05-21

Relevant Pages

  • Re: Administrator(s)
    ... Strong passwords are long, contain digits, special c ... locate any account that he has and disable it. ... child has knowledge of. ... > I have been the "administrator" since I installed XP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Password questions/problems
    ... your server as the administrator to do something on the server. ... Here are some recommendations on your user account and passwords ... Reason: User MUST change passwords within 90 days. ...
    (microsoft.public.win2000.security)
  • RE: Mysterious "Support" account created on Win2k server
    ... Once a worm/trojan or an attacker successfully connect to a system via port ... Once a system is compromised with an administrator account, ... > for guessing admin ids and passwords. ...
    (Incidents)
  • Re: Locked Out Of A Dell Laptop
    ... Is the Vista Ultimate user account passwords located in a different place as compared to other versions of Vista? ... I used a standard Vista Recovery Disk that I downloaded and burnt to disk, I can boot into the disk, run the fix problems utility, which says nothing is wrong and if I use the command prompt and use the net user command it displays only Administrator and Guest and not the user on the login screen. ...
    (microsoft.public.windows.vista.general)
  • Re: Account lockouts
    ... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ...
    (microsoft.public.security)