"control userpasswords2" in Run box

windows-10 security user-accounts laptop

When a home user woke their laptop (HP with Windows 10, Office, Defender, Chrome, a few games) this morning, it went straight to the desktop (no password prompt) and the Run command box was open with "control userpasswords2" in it. Nothing else was open.

The computer was used yesterday for routine web surfing, then lid closed. No one had physical access overnight (let's assume a Mission Impossible style break-in did not occur).

Any ideas how that got there, or what to look for? Is there some macro that might cause this? Or is it a remote intrusion?


Your main problem is not what the command line had, but the fact that if that was caused by somebody then they could have done anything (pretty much) that the user account could do - the entry route could have been any vulnerability, or anything that you clicked on - without forensic investigation you can't pin it down.

So, from a basic security best practices perspective you should:

  • Format the disk
  • Reinstall
  • Restore data from backup

If you have network logs you can tell everyone through them to see what happened, but your question makes me think you might not.

Related

Origin of USBMS packets referring to MS-DOS
No colors in weechat, tig, htop, ranger, etc
How to check if a date is between specific days compared using the TODAY() function
How does the mbr transfer its control to the bootloader
Why does "last" command return logins from "192.168.1.1"?
Cannot upgrade Mac OSX because my hard drive is encrypted
Modify SIP in normally booted system
External Hard Drive Encryption
pfctl to add rules at runtime WITHOUT editing /etc/pf.conf?
App Privacy in App Store
Restore Classic layout to Apple Mail
Apple ID - Security questions reset