event id 539 account lockout?

Posted on 2005-04-27
Last Modified: 2012-06-21
I run Windows Server 2003 SBS.  Since last Tuesday I have been receiving administrative alert emails at 2 hour intervals, almost on the dot.  Very concerning since I can't see anything in the Event Viewer at these times.  I see in the Server Manager where to enable/disable this alert.  I want it enabled, but I also want to know who is getting locked out (who is trying to log in???)  Also since it happens exactly 2 hours apart, that makes me think it is automated...what kind of process or application would try to do this?  Please help me figure this out :)

Here is the pattern of the times I receive the email.  Note that there is no activity on the weekend, but when it is active, it is in exactly 2 hour intervals:

4/19      08:28:47 PM
4/19      10:28:47 PM
4/20      12:28:49 AM
4/20      02:28:49 AM
4/20      04:28:49 AM
4/20      06:28:49 AM
4/21      01:08:53 PM
4/21      03:08:53 PM
4/21      05:08:08 PM
4/22      01:08:13 PM
4/22      03:08:13 PM
4/22      05:08:13 PM
4/25      04:48:28 PM
4/25      06:48:28 PM
4/25      08:48:28 PM
4/25      10:48:28 PM
4/26      12:48:29 PM
4/26      02:48:29 AM
4/26      04:48:29 AM
4/26      06:48:29 AM
4/26      08:48:29 AM
4/26      10:48:29 AM
4/26      12:48:29 AM
4/26      02:48:29 PM
4/26    04:48:29 PM
4/26      06:48:29 PM
4/26    08:48:29 PM
4/26    10:48:29 PM
4/27    12:48:34 AM
4/27    02:48:34 AM
4/27    04:48:34 AM
4/27    06:48:34 AM
4/27    08:48:34 AM

Here is the text of the email:

-----Original Message-----
From: Envirotech [mailto:Administrator@domain.tld]
Sent: Friday, April 22, 2005 1:08 PM
To: me (the administrator)
Subject: Account Lockout (Event ID: 539) Alert on SERVER1

Alert on SERVER1 at 4/22/2005 1:08:13 PM

An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.

For more information about this event, see the event logs on the server computer.

You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
Question by:amcorjon

    Author Comment


    Check this out - I noted the 2 hour interval pattern this morning...I would receive the alert every 2 hours at xx:48:34 am (hh:mm:ss). So I logged on to the server, opened the Task Manager's Process tab and watched the system clock tick.

    At exactly 10:48:34AM I watched and took a screenshot (attached). I saw that one of the System processes popped up,  I see which process it is, but I don't know anything about it.  This process seems to keep trying to authenticate every two hours during the weekdays only. Strange.  At least we can rule out a person trying to hack in.  But what kind of process does this?  How can I find out more about what is going on?

    since I can't attach a pic of the screenshot I'll try to describe it:
    Image Name: System
    User Name: SYSTEM
    CPU: 02
    Mem Usage: 8,192K

    I had the Task Manager's Processes sorted by CPU; I figured if a process was trying to login, then it should jump to the top at that time, and sure enough it did.  Then I received the alert email a second later.
    LVL 51

    Expert Comment

    You *should* be able to match up these alerts to an event in the Security Event Log.

    Can you copy and paste one of those here?


    Author Comment

    thanks, i found this:  

    Logon Failure:
           Reason:            Account locked out
           User Name:      MAINTENANCE
           Domain:      ourdomain
           Logon Type:      3
           Logon Process:      NtLmSsp
           Authentication Package:      NTLM
           Workstation Name:      \\SHOP
           Caller User Name:      -
           Caller Domain:      -
           Caller Logon ID:      -
           Caller Process ID: -
           Transited Services: -
           Source Network Address:
           Source Port:      0

    It seems to be coming from our shop next door which only has 1 computer - and I know the guys there do not try to log in every 2 I go to that machine?  what should I look for that automatically tries to authenticate every 2 hours?

    LVL 51

    Accepted Solution

    It seems this computer has some spyware or a virus on it.  This is the telltale sign of malicious activity - hitting shares using default passwords trying to spread.

    Download and run the following stuff:

    Adaware Personal -
    Spybot S&D -
    CWShredder -

    Also, do a full AV scan with the latest updates.

    Let us know what you find.


    Author Comment

    thanks guys - i ran adaware twice and cleaned it up.  
    LVL 51

    Expert Comment

    Glad to help!
    LVL 1

    Expert Comment

    Did you run AdAware on the Server or the shop workstation? I am getting this same problem but it is happening on up to 10 different accounts.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now