An incident happened on one of our Terminal Servers. One of the people logged in appears to have used Terminal Services Manager to send a message to other users then logg them off. I have checked the event logs, but cannot find any indication of the activity (no "Application Popup" message), nothing in the security logs or system logs. I am looking for guidence in finding some information on who did this. Any suggestions will be greatly appreciated.
Thanks in advance
What do you have available? Live system? Image?
Harlan
If your logged in user has used the "net send" feature to send the message (start - run - net sent all/target "message"), you may find evidence of this in the registry at key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
It might be worth a look there!
Andy