While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada. Has anyone ever seen this before? My radar is up.

I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.

Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.

Several contractors use this workstation. None have admin privs.

Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.

Any comments/suggestions would be appreciated.

csr