So it seems that one place I work had someone log in with remote software from corporate but without asking first. Sure enough – a little digging in the events viewer look for events with these id’s for Dameware. 105,108,111,112,109. Even better – you can add a filter and on the filter window – you choose “By Source” and choose dwmrcs. Then – lo and behold – someone did log into my computer while I was using it. If you look at the 111 connect log, it tells you what computer, the username and no – permission is not required. How did I know? Dameware has a telltale screen goes black and flickers like your display cards are not working- then I realized – hold on – this is the same flicker that happened when I got remote help from corporate. One can add tasks and popups to event ID’s. 111 is the id that is the connect ID. Too bad I cannot get charge and get paid to do this research – but that is the life of a contractor – I get to do really cool things though.

Other things you can do is go to the sys tray icon and look for a green&red icon and right click on it. Choose “Who Is Connected”.

Who was it? Well – you could TRY – copying the host name and the IP and using Outlook’s Rules to copy any emails with these in the header – but no one emailed me from the machine from which they connected sadly. Lots of cool hidden stuff right on your desktop.