Unknown user accounts appear after XP Lockup

  • Thread starter Thread starter Chris McDaniel
  • Start date Start date
C

Chris McDaniel

XP locked up and after a hard reboot, several unknown
user accounts appear: SQLDebuger, Guest, ASPNET_WP, and
the normal user. XP was setup originally to use no
password for the normal user. Tried to use recovery
console and determine if the setup log file had any
random passwords associated, could not find the username
section. Admin password for recovery console was
<enter>. Tried that on a normal boot, the error message:
The policy does not allow you to logon interactively.
The error message appears on the guest, local, and
Adminsitrator accounts.

I am aware this is a remote connection error message, but
I am local to the machine. this is very stange, can MS
or anyone else assist.


Thanks in advance.

Chris
 
Are you sure you have not recently installed something ?
Clearly Guest and "the normal user" are not, as you have
stated, unknown accounts.
The other two mentioned can be defined during some installs.

The message you cited, about not having rights to log on locally
is the normal message given during a console (at the keyboard
or using remote desktop) login attempt, not a remote (over the
network, share access) login attempt, when the user right to
log on locally either has been denied or not granted (these are
two separate policies).

If this is XP Pro you can use an admin account to change
these settings in the User Rights node within the Local Security
Policy. If this is XP Home you do not have this option, but you
could try using the ntrights utility from the Windows 2000/2003
resource kit.

If you did not do an install recently to cause this, then someone
else likely did, making use of the wide open nature of your machine
which had no password on the Administrator account and apparently
also on your "normal user" account (is it an admin?).
 
Roger -

Thanks for the response. This is not a corporate
machine, its a home PC. It is using XP Pro. How would
the policy change based on a lockup. The XP machine
locked up and then on the reboot, the "new" accounts
appear and nothing can log on, not even the admin account.

Thoughts?
 
Not sure just what behavior you experienced that you
describe as a lockup. However, it sounds to me like
someone installed something. If you administrator account
had no password then in Pro this is easily done, especially
if you had your firewall down.

So, your task is 1) getting logged in with admin power
2) reassert your control by setting new pwds everywhere
3) assessing what is installed that is new/unrecognized
and 4) if prior step found something, figuring how to
clean it out and feel sure it is all out.
 
Roger -

Several applications were running before the lockup...The
machine froze and wouldn't repsond. ctrl-alt-del would
bring it out and there was no kbd or mouse response. The
applications were MS based except for transcription
program and abbreviation dictionary. Those have been
installed for over a month.

A BIOS patch was recently installed on the MB, and I
don't see how this would have effected XP Policies.
maybe harware config, but not policies.

I tried the crtl-atl-del quickly twice routine (mentioned
by Jupiter jones in a similar case) and
entered "Administrator" and enter as the password. I go
the same error message as previously mentioned.

Thoughts?
 
Thoughts are as I stated, someone made themselves at home
on your machine as it had no pwd on an admin account.
Just a suspicion, but what you describe sounds like some
freshly installed code (in or outside of your knowledge).

The built-in Administrator account cannot be disabled from
local login, but it can be renamed and then an account can
be defined with the name Administrator and this account can
be disallowed local login. My guess is that is may be part
of what has happened.

However, without getting administrative access, all this is
just suspicion. One would have to break into the system so
as to look around (and take control over the existing accounts
by changing all of their passwords). Then one could decide
whether there is a software conflict issue, uninvited malware
installed, or what . . . as far as next steps.
You could try one of the password set bootdisks to get a
foothold on the problem by recovering a known admin account
you may log in with. http://securityadmin.info
 
Back
Top