New
#1
Potentially suspicious "other people are logged on" pop-up window.
Hi all.
My dad's been seeing a pop-up window every now and again which says "Other people are logged on to this computer. Shutting down Windows might cause them to lose data. Do you want to continue shutting down?" He says that he isn't doing anything to cause it to appear, but regardless of whether he chooses "Yes" or "No", the computer shuts down. I've had a look and it doesn't look like the usual prompt, given that it's in a generic window and not in the usual place next to the shutdown button on the start menu. It's movable and floats above all other windows: Process Explorer says it's controlled by a csrss.exe process which I've scanned using my AV and SFC and can't see anything amiss.
Apologies for the phone camera image.
My mom also has an account on this computer, and at the time I saw the pop-up her account was also logged in. I don't know if this is true every time this message has appeared, nor can I be sure that my dad's correct in saying that it shuts the PC down regardless of which button he clicks: when I clicked on "no", the pop-up closed but Windows remained running. I can't rule out that he's accidentally clicking on something or activating a keyboard shortcut to spawn this window, but I'm pretty certain that it's not the standard Windows 10 prompt for the situation it claims to relate to. Googling that exact phrase shows that it predates Win10 - I found one link from 13 years ago saying it appeared in Win XP.
I rebuilt the PC recently: it's running 1903, build 18362.356. I can't see any processes in Task Manager which are obviously out of place, nor are any processes overtly using significant amounts of CPU or network bandwidth. I'm suspicious that it's some kind of malware, but csrss.exe appears clean. There's a slight chance that one of the background tasks I've set up for automatic backups might be triggering a shutdown after it's complete, but as far as I can tell they're not configured to do that, and even if they were, the message wouldn't use this generic window.
Can anyone offer any advice? Is there some way to track down exactly where this is coming from?
Thanks in advance.