Hi,
I have a situation whereby someone claims that their laptop (With Windows Vista Premium installed) was hijacked remotely and whilst the owner of the laptop claimed to be using the computer. The perpetrator used the browser to look at some sensitive websites. The laptop was on the internet at the time (happened a few times over a few months).
I've never seen a remote control software hijack a user session without the user noticing. I just want to get your opinion whether you have seen situations like this in the past. And do you know what tools or software will allow this.
The only software that I know can launch a separate session on a windows machine is Terminal Server. I'll be grateful if you can tell me if you know of any other remote control software that allows a session (under the same account as the orner of the laptop) to be initiated without the knowledge of the owner while the computer is actually in use ?
Thanks
Typically on a windows box, not a terminal server box, if you use RDP to remotely access the machine, it take control away from the local user.
I have not tested this on Vista Premium, but I know it is the case on XP and Win 2K.
Telnet will allow you to remote in to a users box.
Sub-Seven
There are more.
There have been hacks floating around for several years that allow multiple RDP sessions on XP and more recently on Vista as well.
These hacks are pretty easy to identify on a system. For Vista, it usually involves updating XX_termsrv.dll (xx is 32 or 64 depending on your platform). There are usually also some changes to the following registry keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ConnectionHandler\
Seems like that would be a stretch that the machine was "controlled" by RDP while he was working on it though. Did you scan the imaged copy of the Vista with AV/AS software?