Im looking from a portable VNC client, one that will both run from a memory stick to let me connect to other PCs, and also allow me to run an app on a memory stick and let me connect to another PC.  

Ideally the VNC server will show when someone is connected, and will display the details of what workstation is connecting to the machine.  If not then we could do with some form of notification that someone is connected.  Can anyone suggest something they have used previously?  A client of mine has an issue where someone is VNCing into other peoples machines, but they are using a VNC client with no icon.  We cant prove its the IT tech doing something he shouldnt be (NDAs etc are involved because there are legal docs and financial data that is strictly confidential,  and he has no rights to be viewing screens except when he is doing a fix), but likewise we cant uninstall VNC, or change the password because hell know that we are onto him.  If it isnt the IT tech then someone has found out the password, but it was changed a few weeks back, and mice are still moving when they shouldnt be.  

Easy way: Turn on debug logging on the already installed VNC server - this is a reg setting. This will give you connection details etc.

Is the suspects machine on the same VLAN as the victims?

I wouldnt do anything like this via software. I do this kind of thing at a network level. You dont want to be pissing about with desktops.

Id look on the firewall logs as a first port of call, assuming they use a proper firewall. Obviously if the victim sits on the same subnet as the suspect this is going to tell you sod all.

I would also run a network sniffer, remembering of course to configure the port you are using as a span port.

Quote from: MarkEasy way: Turn on debug logging on the already installed VNC server - this is a reg setting. This will give you connection details etc.

I cant do any config changes to the systems, because hell find some other way round things if he knows we are doing stuff.  At the moment that would involve getting the Local Admin passwords off the machines.  No biggie if he gets potted, Ive still got the image from when we 1st deployed the machines with the old in house support dude.  If it IS the IT guy then well be wiping all the desktop machines as soon as he leaves anyway.  

QuoteIs the suspects machine on the same VLAN as the victims?

Same Physical network, so ive get difficulty with the systems as they are using some no-brand crap switches on some of the desktops to split a single cable multiple ways.  

QuoteI wouldnt do anything like this via software. I do this kind of thing at a network level. You dont want to be pissing about with desktops.

See the comment about cheap switches.  The network largely runs on oldish 100Mb 3com superstacks.  Enough for what they are doing, but ive no way of logging the dudes system.

QuoteId look on the firewall logs as a first port of call, assuming they use a proper firewall. Obviously if the victim sits on the same subnet as the suspect this is going to tell you sod all.

As said, same physical, but the upstairs is on a different subnet, so ill hunt down the system and see if i can find the router.  Might be able to do something with it.  

QuoteI would also run a network sniffer, remembering of course to configure the port you are using as a span port.

nice idea, ill see if i can find a lappy and plug it in somewhere.  Gotta be discrete with what I do, if it gets picked up on were buggered until the dude gets careless.  We are 99.9% sure who it is, but we have to have proof before he gets his marching orders.  The old local tech guy is willing to come in and redo the images if/when we need to, but the guy who owns the place is a mate, and hes worried in case he has issues.  

you need to enable SPAN or you arent going to see very much on a packet switched network. Superstack - hub or switch?

Why not change the logging registry setting remotely

What model superstack are they, superstacks do have some logging capability

Take him outside and set the dogs on his ass. Then youll find out for sure!  8-)