Steve, > Sounds like you might possibly have a rootkit of some sort on the workstation. In that case the following sites have great resources for detecting many of the more well known rootkits: > > http://www.systernals.com (RootkitRevealer, ProcExp, TCPView) Thanks. I tried RootkitRevealer, it found nothing. I have not tried the other tools yet. But back to the question: Could a rootkit allow an attacker to log in over the network and yet have it show up as a console logon in the security log? This is really a question about the Windows security log and what it means. -- David McFarlane Systems Designer Michigan State University, Dept. of Psychology [log in to unmask]