How can I tell if someone is remote desktopped to my PC?
May 12, 2006 7:05 AM   Subscribe

Is there any way of telling whether someone is connected to my computer via remote desktop?

I swear i'm not being paranoid but every now and again my optical mouse moves large distances across the screen without me having moved it quite that far. I could swear that someone has remote-desktopped to my PC but i'm not sure how to monitor that kind of thing. Are there any utilities out there that can be used to display an alarm when someone has connected?

I'm inside a corporate firewall so it would most probably be coming from some one inside the company. The only piece of software I have found that might be useful is TCPView from Sysinternals. Anyone have any experience with this?

Lastly, I don't have any admin rights although I know a kind admin that could install stuff for me...
posted by mikeanegus to Computers & Internet (21 answers total) 1 user marked this as a favorite
FWIW, my optical mouse does that all the time. Mouse quirk.
posted by deadfather at 7:09 AM on May 12, 2006

Do you have a Microsoft mouse? They do that. See these reviews. It probably happens to an extent with most brands of optical mice.
posted by fire&wings at 7:15 AM on May 12, 2006

I have an optical mouse that'll do this if there's dust or hair on the sensor. That's a more likely explanation -- especially given you're in a corporate environment -- than a remote session.

Since you have a friendly admin, why not bring the actual problem to his attention?
posted by majick at 7:16 AM on May 12, 2006

What sort of desktop are you using the mouse on? Woodgrains and other surfaces with varied colorings can throw the optics off and make your cursor jump all over creation. A plain, solid color surface is best for optical mice. I've actually resorted to using an old mousepad. Taping down a sheet of paper works well, too.
posted by Thorzdad at 7:19 AM on May 12, 2006

optical mice sometimes skip; get a different mousepad (or start using one if you're not) and see if it goes away. (every one of the optical mice I've ever used has skipped at one time or another - how much really depends on what kind of desk I'm sitting at at the time.) remote desktop in Windows XP will lock you out if someone else connects to it (you're only allowed to have one person at a time actively logged into the computer). you could try turning off Remote Assistance - right click on My Computer, go to Properties, and uncheck it in Remote. you may not have permissions to do that though. the only other thing you may have is a rogue copy of VNC on there - you may be able to get your admin friend to scan for it. googling for VNC detectors was unsuccessful (it's a legit program and most copies of it don't have facilities to bury themselves in your system).
posted by mrg at 7:20 AM on May 12, 2006

here's two ways to check:

1) go to control panel, administative tools, computer management, expand the 'shared folder' and click on sessions. any remote incoming sessions should be listed there.

2) or, if you do not have privileges to do this, go to start, run, type cmd, which opens the windows cmd shell and type 'netstat -an'. this will list a whole bunch of network connections on your PC. if any one of these entries shows a connection on 3389, someone may be connected. it would look something like this:

TCP your.ipaddress:3389 someone.else:random number ESTABLISHED

keep in mind, if the someone.else ip address is or, this does not mean someone is connected to you. it would have to be an ip other than these two.
posted by poppo at 7:39 AM on May 12, 2006

If you are logged in nobody can remote desktop in. There is something else called remote assistance but if somebody is using that it's super obvious. Probably just a bad mouse.
posted by zeoslap at 7:59 AM on May 12, 2006

you can run the 'netstat' command from the command line to see whose connected.
posted by Mean Mr. Bucket at 8:02 AM on May 12, 2006

IIRC (and I may not)


NetMeeting Remote Desktop Sharing -> Disabled, Stop
Remote Desktop Help Session Manager -> Disabled, Stop
posted by Ryvar at 8:05 AM on May 12, 2006

zeoslap is almost correct. If someone remotely connects to your desktop through RDP (and they have more authority than you) then you will be logged-out unless your XP installation (assuming you're using XP) has been specifically tweaked to allow more than one user to connect to the workstation simultaneously (and this is not that easy to do).

Even if that was the case, moving your mouse? Even if someone else was connected to the machine through RDP, your session is your session. They wouldn't be able to interact with your session, only log you out (provided they had the authority).

Another vote here for optical mouse trickery, but you might want to run a virus check using Housecall. There are trojans out there that would do what you're suspecting of RDP.
posted by purephase at 8:20 AM on May 12, 2006

Ditto all of the above, but there's another useful point that's been missed so far.

Windows XP Home, Pro, Pro VLK, Tablet, and MCE are licenses for only ONE USER AT A TIME.

Meaning that if someone uses Remote Desktop to log in to your machine, they must have Admin rights because their logging on WILL LOG YOU OFF.

Ergo, if you're still using that computer, then nobody else is using Remote Desktop to access it. I'm referencing Remote Desktop per your question...VNC or something similar may be able to view the current session without an actual logon.

Windows Server 2003 is a different story, with the Standard license allowing for five simultaneous logons.

And lastly: Optical mouse quirks are common, even on mouse pads, even when the moon is in the second house of blah, blah, blah. It happens. Not a big deal.

Besides, you should pretty much assume that when you're using a computer that belongs to a corporation, you're being watched. Act accordingly.
posted by SlyBevel at 8:21 AM on May 12, 2006

Most likely its a mouse bug. Try cleaning it or getting an updated driver.

The RDP information above is correct but you may have a VNC installation or some other remote control software installed. Most virus scanners will catch this with the exception of VNC. Is there a process called winvnc.exe running right now?

If you know how to understand whats in a netstat -a then you should see what ports you are listening to. A malicious user will not run vnc on the standard ports 5900-5905.

I believe Windows Defender will detect a VNC installation and give you a warning.
posted by skallas at 8:43 AM on May 12, 2006

my cheap MS optical mouse does this all the time, i hate it, i cleaned out all my drivers as per what MS says and it came back just a few days later.
posted by yeahyeahyeahwhoo at 8:55 AM on May 12, 2006

My cheapo logitech mouse enjoys sending the mouse pointer towards the upper left corner of my screen if I leave it unattended for more than 10 seconds or so. I blame the earths magnetic field, and the ghost of John Candy.
posted by blue_beetle at 9:09 AM on May 12, 2006

Funny I've been thinking of asking this question for a week or so now, but I've been putting it off assuming I'm just being paranoid and that it was probably my optical mouse. Thanks for asking mikeanegus, and thanks to everyone else for calming my nerves.
posted by raedyn at 9:13 AM on May 12, 2006

Same here Raedyn! Along the same lines, is there a way to see if someone is piggybacking on my wireless connection?
posted by KevinSkomsvold at 11:29 AM on May 12, 2006

Yeah, if someone is using your wireless connection then chances are they're using your DHCP server too. Somewhere in your router's config there should be a DHCP lease section. There should only be leases for your computers. If you see a computer name you dont recognize with a lease then someone is using your wireless without your permission.
posted by skallas at 12:00 PM on May 12, 2006 [1 favorite]

Skallas is mostly right, but keep in mind that not every device which shows up in your lease table will have a name associated with it. Many will show up blank. For instance, included in my list right now, with no names, are my network bridge, my Tivo, my XBOX 360, and two linux boxes.

It helps to know the MAC of each item, as that will always be listed in this table.
posted by Dunwitty at 2:25 PM on May 12, 2006

KevinSkomsvold writes "Along the same lines, is there a way to see if someone is piggybacking on my wireless connection?"

The best route to take is not to see who's using your connection, but to secure it so that people cannot connect. Depending on your wireless access point, you should definitely use some kind of encryption (preferably WPA-PSK or WPA2-PSK with AES/TKIP -- WPA2-Enterprise would be the best route, but not a lot of consumer AP's support this model). On top of that, hide your SSID, setup a MAC filter (both are easy to circumvent, but with the added encryption layer, it makes it slightly less of a target).

Finally, make sure your PSK (pre-shared key) is 15 characters+ and that you change it at least twice a year. With these steps, the likelihood of someone using your AP without knowing the PSK is very unlikely (almost impossible with AES and WPA2).

sorry for the acronym nightmare, but once you're in your access point's configuration you'll see a lot of those terms being tossed around.
posted by purephase at 2:40 PM on May 12, 2006

My cheap optical mouse used to do that all the time, and I'd always accidentally click on the wrong thing if I wasn't careful. My boyfriend hated it, and got his sister to buy me a new optical mouse for Christmas one year. I haven't had that problem since.
posted by limeonaire at 6:53 PM on May 12, 2006

Certainly it's a mouse issue.

FYI, the people saying you can't RDP a session without logging a person off are kind of wrong. Remote assistance is basically a gussied up version of the shadowing feature of RDP that exists also on win2k/2k3 server (run shadow from your command line in XP), which by default will allow you to mirror someone's existing session but will prompt them to allow it first (you can disable the prompt to silently shadow someone).

XP by default will not let you shadow the console login, but I imagine there are hacks to make that happen, just as in windows server you can disable the prompt for confirmation when you try to shadow a session.
posted by hincandenza at 10:53 AM on May 13, 2006

« Older about turn   |   Good lunch on the Jersey Turnpike or Garden State... Newer »
This thread is closed to new comments.