Potentially suspicious "other people are logged on" pop-up window.

Hi all.

My dad's been seeing a pop-up window every now and again which says "Other people are logged on to this computer. Shutting down Windows might cause them to lose data. Do you want to continue shutting down?" He says that he isn't doing anything to cause it to appear, but regardless of whether he chooses "Yes" or "No", the computer shuts down. I've had a look and it doesn't look like the usual prompt, given that it's in a generic window and not in the usual place next to the shutdown button on the start menu. It's movable and floats above all other windows: Process Explorer says it's controlled by a csrss.exe process which I've scanned using my AV and SFC and can't see anything amiss.



Apologies for the phone camera image.

My mom also has an account on this computer, and at the time I saw the pop-up her account was also logged in. I don't know if this is true every time this message has appeared, nor can I be sure that my dad's correct in saying that it shuts the PC down regardless of which button he clicks: when I clicked on "no", the pop-up closed but Windows remained running. I can't rule out that he's accidentally clicking on something or activating a keyboard shortcut to spawn this window, but I'm pretty certain that it's not the standard Windows 10 prompt for the situation it claims to relate to. Googling that exact phrase shows that it predates Win10 - I found one link from 13 years ago saying it appeared in Win XP.

I rebuilt the PC recently: it's running 1903, build 18362.356. I can't see any processes in Task Manager which are obviously out of place, nor are any processes overtly using significant amounts of CPU or network bandwidth. I'm suspicious that it's some kind of malware, but csrss.exe appears clean. There's a slight chance that one of the background tasks I've set up for automatic backups might be triggering a shutdown after it's complete, but as far as I can tell they're not configured to do that, and even if they were, the message wouldn't use this generic window.

Can anyone offer any advice? Is there some way to track down exactly where this is coming from?

Thanks in advance.

NJMorf said:

Can anyone offer any advice? Is there some way to track down exactly where this is coming from?

This has been seen by some since version 1709. See this thread, particularly Brink's post #7.

Windows 10 last user remains logged in after reboot

You normally see that window when another user is logged on and the the PC has been switched to view another account on the same PC without logging off the original account.

Thanks for the replies. From what I've read here and in other places, I assumed that people were seeing this window when they were deliberately shutting the computer down. Is it appearing spontaneously for other people in the same way that my dad is claiming? And is it definitely appearing as the same style of window as in my screenshot?

Late reply, but I finally worked out that this was caused by a SyncBack Free backup profile that I had set to shut the PC down on completion. Deselected that option and the problem went away.