Ask a new question

TerminalService-RemoteConnectionManager Am I getting hacked?

Last weekend I was out of town, and used remote desktop to sign into my home computer.

When I looked at the screen this morning, it was asking for the password, like it always does when I log in remotely.   But there was also a note that "apc.atoipa.com"  (That's incorrect, but it was something like that) has logged in.

While I assumed that this is just the Holiday Express that I had signed in from, I checked further.

I went to:

Computer Management   System Tools

      Event Viewer

         Applications and Services Logs

            Microsoft

                Windows

                    TerminalServices-RemoteConnectionManager

                         Operational

In this are I can see hundreds of  'Information' lines.     They look like  "Information    4/5/2016/ 3:29:25PM     Event ID 261

There is an information line like this for ever second.

Trouble is that I was on the road home all afternoon on the 4/5      I wasn't on any computer.

Under the 'Details' tab I see this kind of text.:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
  <EventID>261</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x1000000000000000</Keywords>
  <TimeCreated SystemTime="2016-04-05T21:29:25.553703200Z" />
  <EventRecordID>2557190</EventRecordID>
  <Correlation />
  <Execution ProcessID="1204" ThreadID="4068" />
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
  <Computer>longbottom</Computer>
  <Security UserID="S-1-5-20" />
  </System>
- <UserData>
- <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
  <listenerName>RDP-Tcp</listenerName>
  </EventXML>
  </UserData>

 </Event>

Can anyone tell me what this is about?

Is Microsoft talking to my computer online, in the back ground?     Maybe for updating purposes?

Or is someone trying (successing?) to hack me?


Answer
Answer

You are fine, no need for concern.

What you are seeing in the event logs for Terminal services is normal. What you are seeing is the service listening for inbound connection requests over the RDP Protocol, it essentially does this every second as you are seeing. It looks for a packet that initiates the RDP session.

If you are still concerned about unauthorized access to your computer you can enable logon auditing on your computer. Do the following.

1) Click Start and then Select Run

2) Type MMC and hit enter.

3) In MMC click on File>Add/Remove Snap in

4) Look for Group Policy Object Editor and add it

From Group Policy Editor navigate to:

Computer Configuration>Windows Settings>Security Settings>Local Policies>Audit Policy

Double click on the "Audit Logon" Events, and enable both buttons.

Now anytime someone signs on successfully or unsuccessfully (bad password) it will be stored in the event log. To view them in event viewer go to:

Windows Logs>Security

I've attached a screenshot with the local policy that you'd need to change for auditing just for help.

MCP

10 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated April 26, 2024 Views 11,890 Applies to: