While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada. :confused: Has anyone ever seen this before? My radar is up.
I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.
Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.
Several contractors use this workstation. None have admin privs.
Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.
Any comments/suggestions would be appreciated.
csr