planza
asked on
Windows Login Failure Audits
I have logon failure attempts to every account on my machine. Every account has 2. They are posted below. If anyone can help me know what is going on and how I can fix it, it will be much appreciated. Thx.
Logs:
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: ASPNET
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Workstation Name: COMPUTER
Event ID: 680
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: ASPNET
Source Workstation: COMPUTER
Error Code: 0xC000006A
Logs:
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: ASPNET
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: COMPUTER
Event ID: 680
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: ASPNET
Source Workstation: COMPUTER
Error Code: 0xC000006A
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW: it will show you how to stop it from ocurring also.. :)
Doubt seriously that it is a virii, but it does not hurt to ck. This error is a common error, and can be fixed with the link provided above..
FE
FE
ASKER
cool, thanks for the info. I will give you the points for that, but do you know how I can see exactly is trying to access something?
thx
thx
You can use one of the workarounds in the article above to prevent these errors from ocurring... A little complicated, but it is well documented.. Good luck..!!
And thank you..
FE
And thank you..
FE
ASKER
yes, I read those and understand that. BUT I want to find out which program is CAUSING ther error, not just how to prevent the error from occuring.
I want to find the cause of the error.
Thanks
I want to find the cause of the error.
Thanks
Have you resolved this yet? I'm seeing the same, and would love to read your results.
ASKER
no, still not resolved. I went through and disabled ALL accounts except fro the one that I use. I have to go and re-enable accts fro development etc, but this seems to have stopped the logevents...
I'll bet that there is some sort of software than can monitor this, maybe by symantec of sth...
let me know if oyu find anything
I'll bet that there is some sort of software than can monitor this, maybe by symantec of sth...
let me know if oyu find anything
I constantly over the last year or so get MS NT 4.0 Event Id 'chains' of 529, with a spoofed User name and Domain and the time of events sometimes seconds apart. It appears as a 'propagated type of NETBIOS/SMB automated program " and I've tried "anon logon restrictions" but they still reappear in large groups?
Any tips, guidance or advice would be greatly appreciated!
J. McNellie
Any tips, guidance or advice would be greatly appreciated!
J. McNellie