• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2477
  • Last Modified:

Windows Login Failure Audits

I have logon failure attempts to every account on my machine. Every account has 2. They are posted below. If anyone can help me know what is going on and how I can fix it, it will be much appreciated. Thx.


Event ID: 529
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      ASPNET
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      COMPUTER

Event ID: 680
 Logon account:  ASPNET
 Source Workstation: COMPUTER
 Error Code: 0xC000006A

1 Solution
Fatal_ExceptionSystems EngineerCommented:
This will help explain it to you...

You receive a "logon failure: unknown user name or bad" error message while accessing remote security-enhanced resources from an ASP.NET application


Fatal_ExceptionSystems EngineerCommented:
BTW:  it will show you how to stop it from ocurring also..  :)
Rich RumbleSecurity SamuraiCommented:
Try scanning your PC with an AV scanner, like Stinger
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Fatal_ExceptionSystems EngineerCommented:
Doubt seriously that it is a virii, but it does not hurt to ck.  This error is a common error, and can be fixed with the link provided above..

planzaAuthor Commented:
cool, thanks for the info. I will give you the points for that, but do you know how I can see exactly is trying to access something?

Fatal_ExceptionSystems EngineerCommented:
You can use one of the workarounds in the article above to prevent these errors from ocurring...    A little complicated, but it is well documented..  Good luck..!!

And thank you..

planzaAuthor Commented:
yes, I read those and understand that. BUT I want to find out which program is CAUSING ther error, not just how to prevent the error from occuring.

I want to find the cause of the error.

Have you resolved this yet?  I'm seeing the same, and would love to read your results.
planzaAuthor Commented:
no, still not resolved. I went through and disabled ALL accounts except fro the one that I use. I have to go and re-enable accts fro development etc, but this seems to have stopped the logevents...

I'll bet that there is some sort of software than can monitor this, maybe by symantec of sth...

let me know if oyu find anything
I constantly over the last year or so get MS NT 4.0 Event Id 'chains' of 529, with a spoofed User name and Domain and the time of events sometimes seconds apart. It appears as a 'propagated type of NETBIOS/SMB automated program " and I've tried "anon logon restrictions" but they still reappear in large groups?

Any tips, guidance or advice would be greatly appreciated!
J. McNellie
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now