I was wrong, Remote Desktop on XP uses Type 10, while in 2000 it would use Type 2. The only other mention I found producing this error was logging in through a KVM IP switch. I don't suppose that workstation has had one of those installed.
http://www.windowsecurity.com/articles/Logon-Types.html
-t
On 12/20/05,
David K McFarlane <[log in to unmask]> wrote:
Steve,
> Sounds like you might possibly have a rootkit of some sort on the workstation. In that case the following sites have great resources for detecting many of the more well known rootkits:
>
>
http://www.systernals.com (RootkitRevealer, ProcExp, TCPView)
Thanks. I tried RootkitRevealer, it found nothing. I have not tried the
other tools yet.
But back to the question: Could a rootkit allow an attacker to log in over
the network and yet have it show up as a console logon in the security log?
This is really a question about the Windows security log and what it means.
-- David McFarlane
Systems Designer
Michigan State University, Dept. of Psychology
[log in to unmask]
--
Troy D Murray
Blog: http://troymurray.blogspot.com/