How to Tell If Your PC Is Being Remotely Accessed

If you suspect someone else is on your computer, you're not alone. We see Edinburgh customers from Leith to Livingston walk into our workshop every week convinced their PC has been hijacked — sometimes after a tech support scam, sometimes after clicking a suspicious link, and sometimes for no clear reason at all.

The good news is that real remote-access intrusions leave clear fingerprints once you know where to look. This guide walks you through the warning signs and the practical steps to take if your PC is being remotely accessed.

If you already know something is wrong, disconnect from the internet and book a thorough check with our virus and malware removal team before logging into anything sensitive.

What "Remote Access" Actually Means

Remote access is when another device controls your PC over the internet — moving the cursor, opening apps, reading files, and typing as if the attacker were sitting at your keyboard. Sometimes it's legitimate: a relative helping with a printer, an IT contractor doing maintenance, or our own remote support service connecting to fix a Windows problem. Sometimes it's not — a scammer, a piece of malware, or a former housemate who never had their account removed. The signs below help you tell the difference.

1. Unexpected Cursor Movement or Mouse Activity

The most obvious sign is the mouse pointer moving on its own. If your cursor glides smoothly across the screen, clicks menus, or types into search bars while your hands are on the desk, you almost certainly have a live intruder. The key word is smoothly: a faulty trackpad or dusty mouse will produce jittery, twitchy movement, whereas a human operator on the other end moves in deliberate arcs.

If you see this happen, do not wait for "proof" — immediately unplug the Ethernet cable or turn off Wi-Fi from the keyboard shortcut (Fn + the airplane key on most laptops).

2. Programs Opening or Closing on Their Own

Settings windows that pop up unprompted, browser tabs that close mid-read, command prompt windows flashing on the desktop — all of these can mean someone is rifling through your machine. Pay particular attention to UAC consent prompts (the blue "Do you want to allow this app to make changes?" dialog) appearing without you doing anything. A remote attacker often needs your admin approval to escalate privileges, and they'll keep poking until you click yes.

3. New User Accounts You Didn't Create

Open Settings > Accounts > Other users on Windows 11. Every entry there should be a person you recognise. Likewise, press Win + R and type lusrmgr.msc to see the full local users list (Pro editions only). Names like "Admin", "TempUser", "DefaultAccount0", "WDAGUtilityAccount" with recent activity, or anything you didn't set up yourself, are red flags. Customers in Morningside and Dalkeith have brought us laptops with three hidden admin accounts created after a single scam call.

4. Remote-Access Software Installed Without Your Knowledge

Most remote-access scams rely on legitimate tools: AnyDesk, TeamViewer, UltraViewer, LogMeIn, Quick Assist, or ScreenConnect. Open Settings > Apps > Installed apps and sort by install date. If any of those names appear and you didn't install them, uninstall immediately — but also assume the attacker left other tools behind. Our phishing scams guide and the Edinburgh tech support scams guide explain how these tools usually arrive in the first place.

5. Unusual Network Activity in Task Manager

Press Ctrl + Shift + Esc to open Task Manager and click the Performance tab, then Open Resource Monitor at the bottom. Switch to the Network tab in Resource Monitor and watch the list of processes sending and receiving data. With your browser and apps closed, the list should be short — Windows update, OneDrive, your antivirus, and a handful of system services. Sustained traffic from a process you don't recognise, especially one with a random-looking name in %AppData% or %Temp%, deserves a closer look.

6. Antivirus and Firewall Settings Have Been Changed

One of the first things an intruder does is disable Microsoft Defender or whatever antivirus you run. Check Windows Security > Virus & threat protection: if "Real-time protection" is off and you didn't switch it off, that's a strong indicator something has tampered with the system. Same for the Windows firewall (Windows Security > Firewall & network protection) — all three profiles should say "Firewall is on".

7. Strange Login Times in Event Viewer

This is the most technical sign but also the hardest to fake. Press Win + R, type eventvwr, and navigate to Windows Logs > Security. Filter for Event ID 4624 (successful logon) and look at the timestamps. If you find logons at 3am on a Tuesday, or from a "Logon Type" of 10 (RemoteInteractive) when you've never used Remote Desktop, your machine has been reached from outside. Business customers in Falkirk and Livingston ask us to audit this regularly as part of our business IT support work.

How to Disconnect a Remote Intruder Right Now

If any of the signs above match what you're seeing, work through this list quickly:

• Disconnect from the internet — unplug the Ethernet cable or turn Wi-Fi off from the keyboard. This is the single most important step.
• Shut down, don't restart — a full shutdown closes every active session. Hold the power button if Windows is unresponsive.
• Boot back up offline and uninstall any remote-access tools (AnyDesk, TeamViewer, Quick Assist, etc.) you didn't install yourself.
• Change passwords from a different device — email first, then banking, then social media. Don't use the compromised PC.
• Enable two-factor authentication on every important account. Our 2FA setup guide walks through it.
• Run a full malware scan with Microsoft Defender Offline (Settings > Privacy & security > Windows Security > scan options).
• Ring your bank if the attacker may have seen card details or banking sessions, and report to Police Scotland on 101 or Action Fraud at actionfraud.police.uk.

How to Prevent Future Remote-Access Attacks

Most intrusions in Edinburgh start with social engineering rather than a clever technical exploit — a phone call, a pop-up, a panicked email. Keep Windows and your antivirus up to date, never install remote-access software at a stranger's request, and use unique passwords stored in a password manager. If you run a small business, make sure Remote Desktop (port 3389) is not exposed to the open internet — our software troubleshooting team sees this misconfiguration most often in older home offices around Stockbridge and Corstorphine.

Worried About Your Edinburgh PC?

If anything in this guide rings true for your machine, don't take chances. Bring it to our Parkhead Drive workshop, or use our home callout service across Edinburgh, the Lothians and the central belt. Book a security check online and we'll make sure no unwanted guests are still inside your PC.