Where else can I track down this?

[newsposter]

Other than the event viewer is there anywhere else to track down when
someone else may have logged on as administrator?
Thanks.

 

[Roger Abell]

Last accessed timestamps on files in their account profiles.

 

[Peter Clark]

yes - check their ntuser.dat file or search for ntuser.dat
in c:\documents and settings\ -> sort by date, however
theres a value logged in the sam file of when the user was
last logged on at:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%userno%\F
offset:8 length:8 (format similar to registry time???) if
you want me to verify and explain how to calculate the time
precisely, send me an email.

 

[newsposter]

Last accessed timestamps on files in their account profiles.

Ok thanks, so even if they deleted the logs, I could tell that they
logged on after me yesterday, but before me today. I'm thinking that
they logged on under admin and found out my password. I don't want to
change it yet because I want to be able to verify the admin acct was
logged into.

 

[Roger Abell]

Well, keep in mind that if you go by last-accessed timestamps
you get one chance to find out the timestamp as your access will
update it.

You said

they logged on under admin and found out my password

This cannot be done, unless they install a key logged and catch
it as you use it, or unless you have used a weak one that is easy
to crack after they lift the SAM. Otherwise, XP does not store
you password so they could not have dug it out from XP.

 

[newsposter]

I obviously misspoke and didn't mean they logged on then found my
password. oops sorry.