-3

I recently received my laptop from repair and I just had a hunch that something fishy might have happened so I checked the log files on Windows Event Viewer and it turns out that my laptop has been successfully logged on into while it was sent for repair.

It was sent for repair as it could not be charged. The logs show that the laptop was turned on for a few seconds, twice on the same day it was handed over. I assume this is just the repair person doing some preliminary tests.

3 days later it was used again for 5 mins and then nothing until I received it. During this time the security logs that really worry me are two consecutive events with Event ID: 4624, An account was successfully logged on. The Logon Type is 2, which means a user logged on. The account name is my name.

The same event is logged when I manually logon to my laptop. Does this mean that my laptop's password has been hacked? Is there any other explanation for these logs?

I have a local account on windows 10 with a fairly strong password. I know that my laptop can be hacked. Is there a way to tell that it was hacked for certain? I have used antivirus software but it detects nothing.

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Freddit
  • 1
  • 1
  • “Is there a way to tell that it was hacked for certain?” No. But if you are concerned there is a very easy solution: Just change the password. – Giacomo1968 Mar 07 '21 at 05:58
  • What if some malware has been installed? I do have antivirus but it detects nothing. – Freddit Mar 07 '21 at 06:16
  • Why do you believe malware would have been installed this way? “I do have antivirus but it detects nothing.” Then what do you think that detecting nothing means? I means there is nothing except the paranoia in your mind. Just change your password and move on with life. – Giacomo1968 Mar 07 '21 at 16:16

2 Answers2

2

Windows has a facility to log a user in before they enter passwords and effectively when you log in you are simply "unlocking" your account. This is done to ensure that updates are performed upon boot and keeps your system up to date.

It could be this that you are seeing and the shop simply powered it on to test that whatever they did to repair it worked. They could have then tried it again a few days later to see that it had not lost a significant amount of charge or was still able to charge.

Unless you can see signs that all your data has been accessed or other programs installed it does not necessarily mean that they were doing anything unexpected or nefarious.

You can find out more about that setting and how to disable it at Windows 10 - Users already logged in at boot

Mokubai
  • 89,133
  • 25
  • 207
  • 233
  • 1
    Thank you for the explanation. However, I have been unable to replicate the behavior logged during the repair. Logs show several logons of type 5 (Service Control Manager) and some of Type 2 (User Interaction), but a logon of type 2 with my USERNAME only occurs when I login with the password. Event ID 4648 is another such event. It reads "A logon was attempted using explicit credentials" and has my username as the account name. Anyway, I have decided to proceed assuming that the laptop has been hacked. Any advice concerning safe extraction of data and reset of the machine is appreciated. – Freddit Mar 09 '21 at 17:05
-2

It would need to be a very good hacker if he managed to install undetectable malware in only 5 minutes. But the danger from a workshop employee isn't the only one, given that your computer was turned-on and even (perhaps) logged-into in an environment that you don't control.

I would suggest to run a few antivirus full scans on your computer, using several well-known such products, in addition to Windows Defender. Some of them can run the scan from the browser.

You may find a list of such products in the article Best Free Antivirus Software.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Downvoters: This seems to me like good advice. There are many ways to login without a password, not much hacking required; the workshop might have done it as a brief test. – harrymc Mar 07 '21 at 17:54
  • The downvote from me comes from the fact you have 350,000+ rep but are effectively posting an extended comment and a link-only answer. The same advice would work just as well as a comment. Additionally, [Mokubai’s answer](https://superuser.com/a/1631551/167207) provides more context as to what the login behavior they saw was/is; I suspected as much but it was an expected Windows quick-login behavior. That explains what the behavior is so this doesn't all just seem random. – Giacomo1968 Mar 07 '21 at 22:02
  • @Giacomo1968: First, bravo on owning up to the downvote, which is so very rare. Second, the answer of a 350K+ user was perhaps motivated by too many possible scenarios for me to worry the poster with them all. Mokubai’s answer supposed that he knows what happened to the computer in the workshop, for which my crystal ball stays mute. The poster's worry is entirely valid, and my advice is exactly what I would do in his place. Mokubai’s answer advises doing nothing, which I don't. A pity that the downvotes will turn the poster away from my answer. – harrymc Mar 08 '21 at 08:26
  • 1
    My answer is positing one particular and reasonably likely option without attempting to prejudice the people who did the repairing. If other options are likely I would hope that other answers would detail how to find out or provide some kind of indication of what to do. You do provide *some* useful advice. I did not downvote your answer. – Mokubai Mar 08 '21 at 10:13
  • @Mokubai: Thanks, and I certainly didn't think that you did so. I don't think that it helps to list all the possibilities for what could have happened and how the poster's computer could have been infected in the workshop, even unknown to the employees, if some other infected computer was present and connected to the same network. Unfortunate that my advice would probably be ignored now, but fortunate that the real chances for infection are probably very low. – harrymc Mar 08 '21 at 10:30
  • @harrymc Your whole answer is also negated by [the comment left by the original poster](https://superuser.com/questions/1631473/have-i-been-hacked/1631523?noredirect=1#comment2491697_1631473) that states, “What if some malware has been installed? I do have antivirus but it detects nothing.” If they ran anti-virus and it showed nothing… Then nothing is there. – Giacomo1968 Mar 09 '21 at 00:44
  • @Giacomo1968: Ome antivirus is not enough. I once encountered an infection that was eradicated only by the 3rd antivirus I ran. – harrymc Mar 09 '21 at 06:16
  • One final note your tone here, “First, bravo on owning up to the downvote…” and here, “A pity that the downvotes will turn the poster away from my answer.” are so vain and self-important that the downvote is very rightfully earned. The reality is your “answer” is a comment and you know it. That’s all! – Giacomo1968 Mar 09 '21 at 16:12
  • @Giacomo1968: My final note: You apparently don't have the knowledge to understand why this isn't comment-level, although you're not alone. Asking and learning is much better than blind animosity. – harrymc Mar 09 '21 at 19:59