Installing the Remote Access Monitor

You can download the MSI from Codeplex. Double-click this file to install Remote Access Monitor on your machine. On install, the monitor is automatically added to your Start-up applications list, which means it will automatically start scanning when you start your computer.

Alternatively, the source code is available too.

Using Remote Access Monitor

Remote Access Monitor is automatically started when you start your computer, but you can also start it manually using the shortcut icon on your desktop. If you try and start another instance of the Remote Access Monitor, the application will alert you that it is already running.

You can minimise the application, and it will continue to work. You can access the monitor from your system tray (when you minimise the monitor, it will show you where it goes!).

The monitor will quietly poll your process list every 10 seconds and will alert you if another user spawns a process (for example by starting a remote-desktop session on your machine).

If remote access is detected, the Remote Access Monitor will appear - even if you have minimised it previously. It will display the details of the user accessing your machine. Normally this will appear as two lines in the monitor:

11/12/2009 08:27:32 --- DOMAIN\UserName --- Detected
11/12/2009 08:27:32 --- DOMAIN\NETWORK SERVICE --- Detected

To clear the alert, press the "Clear" button.

The monitor will continue scanning and will let you know when:

a) A new user connects
b) A user disconnects

When a user disconnects and logs off of the machine, you will receive the following alert:

11/12/2009 08:29:12 --- DOMAIN\UserName --- Ended
11/12/2009 08:29:12 --- DOMAIN\NETWORK SERVICE --- Ended

All alerts are added to the list of alerts displayed in the UI.

Notes On Alerts

You may receive several alerts for a single access. This occurs when the access requires processes to be spawned under several different user accounts. For example, if the access causes Network Service to start a process or if a System process is started remotely. The policy is that ALL of these are displayed without filters - this means you may receive one or two additional warnings, but this also means you are getting the maximum possible coverage of access alerts.


Why can't I see myself in the "Connections" tab?

The Connections tab only displays remote connections, so you won't appear in this tab if you are connected locally.

Last edited Jan 14, 2010 at 8:32 AM by Sohnee, version 5


No comments yet.