I bet that's what the event log would look like if a rootkit running as SYSTEM added local administrator accounts...
Clubber Lang wrote: > Thanks, James. Yeah, the user was the same for all events: NT > AUTHORITY\SYSTEM > > 624 - User Account Created - 9:19:13 AM > 626 - User Account Enabled - 9:19:13 AM > 642 - User Account Changed - 9:19:13 AM > 628 - User Account Password Set - 9:19:13 AM > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > 630 - User Account Deleted - 9:21:28 AM -- Phil Brutsche [EMAIL PROTECTED] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
