I was wrong, Remote Desktop on XP uses Type 10, while in 2000 it would use Type 2. The only other mention I found producing this error was logging in through a KVM IP switch. I don't suppose that workstation has had one of those installed. http://www.windowsecurity.com/articles/Logon-Types.html -t On 12/20/05, David K McFarlane <[log in to unmask]> wrote: > > Steve, > > > Sounds like you might possibly have a rootkit of some sort on the > workstation. In that case the following sites have great resources for > detecting many of the more well known rootkits: > > > > http://www.systernals.com (RootkitRevealer, ProcExp, TCPView) > > Thanks. I tried RootkitRevealer, it found nothing. I have not tried the > other tools yet. > > But back to the question: Could a rootkit allow an attacker to log in > over > the network and yet have it show up as a console logon in the security > log? > This is really a question about the Windows security log and what it > means. > > -- David McFarlane > Systems Designer > Michigan State University, Dept. of Psychology > [log in to unmask] > -- Troy D Murray Blog: http://troymurray.blogspot.com/