It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.
[2] Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs.
[3] However, Windows lacked any built-in method of selectively deleting events from the Security Log.
Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services.
[7] Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.