Stalking the intruder
Yes, this example of sly and persistent intrusion is alarming. I think we need behavior analytics that learn from routine system ops and recognize an activity that is out of line. Once it spots such a thing, it raises an alarm or shuts it down. I also agree with TerryB. Security was such a concern on the IBM mainframe when it first came out that the MVS operating system, when asked by an application process to do something, would query, Who is your owner? If no clear answer came back, it killed the process. With Windows, it's more like welcome the next visitor, check his credentials later.