-3

I recently received my laptop from repair and I just had a hunch that something fishy might have happened so I checked the log files on Windows Event Viewer and it turns out that my laptop has been successfully logged on into while it was sent for repair.

It was sent for repair as it could not be charged. The logs show that the laptop was turned on for a few seconds, twice on the same day it was handed over. I assume this is just the repair person doing some preliminary tests.

3 days later it was used again for 5 mins and then nothing until I received it. During this time the security logs that really worry me are two consecutive events with Event ID: 4624, An account was successfully logged on. The Logon Type is 2, which means a user logged on. The account name is my name.

The same event is logged when I manually logon to my laptop. Does this mean that my laptop's password has been hacked? Is there any other explanation for these logs?

I have a local account on windows 10 with a fairly strong password. I know that my laptop can be hacked. Is there a way to tell that it was hacked for certain? I have used antivirus software but it detects nothing.

Improve this question
1
  • What if some malware has been installed? I do have antivirus but it detects nothing.
    – Freddit
    Commented Mar 7, 2021 at 6:16

2 Answers 2

Reset to default
2

Windows has a facility to log a user in before they enter passwords and effectively when you log in you are simply "unlocking" your account. This is done to ensure that updates are performed upon boot and keeps your system up to date.

It could be this that you are seeing and the shop simply powered it on to test that whatever they did to repair it worked. They could have then tried it again a few days later to see that it had not lost a significant amount of charge or was still able to charge.

Unless you can see signs that all your data has been accessed or other programs installed it does not necessarily mean that they were doing anything unexpected or nefarious.

You can find out more about that setting and how to disable it at Windows 10 - Users already logged in at boot

Improve this answer
1
  • 1
    Thank you for the explanation. However, I have been unable to replicate the behavior logged during the repair. Logs show several logons of type 5 (Service Control Manager) and some of Type 2 (User Interaction), but a logon of type 2 with my USERNAME only occurs when I login with the password. Event ID 4648 is another such event. It reads "A logon was attempted using explicit credentials" and has my username as the account name. Anyway, I have decided to proceed assuming that the laptop has been hacked. Any advice concerning safe extraction of data and reset of the machine is appreciated.
    – Freddit
    Commented Mar 9, 2021 at 17:05
-2

It would need to be a very good hacker if he managed to install undetectable malware in only 5 minutes. But the danger from a workshop employee isn't the only one, given that your computer was turned-on and even (perhaps) logged-into in an environment that you don't control.

I would suggest to run a few antivirus full scans on your computer, using several well-known such products, in addition to Windows Defender. Some of them can run the scan from the browser.

You may find a list of such products in the article Best Free Antivirus Software.

Improve this answer
3
  • Downvoters: This seems to me like good advice. There are many ways to login without a password, not much hacking required; the workshop might have done it as a brief test.
    – harrymc
    Commented Mar 7, 2021 at 17:54
  • 1
    My answer is positing one particular and reasonably likely option without attempting to prejudice the people who did the repairing. If other options are likely I would hope that other answers would detail how to find out or provide some kind of indication of what to do. You do provide some useful advice. I did not downvote your answer.
    – Mokubai
    Commented Mar 8, 2021 at 10:13
  • @Mokubai: Thanks, and I certainly didn't think that you did so. I don't think that it helps to list all the possibilities for what could have happened and how the poster's computer could have been infected in the workshop, even unknown to the employees, if some other infected computer was present and connected to the same network. Unfortunate that my advice would probably be ignored now, but fortunate that the real chances for infection are probably very low.
    – harrymc
    Commented Mar 8, 2021 at 10:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .