Event ID 642, 627, 644, 671 back-to-back-to-back on local accounts once a week

Posted on 2008-11-10
Last Modified: 2013-12-04
Once a week, usually on the weekend around midnight or so, I have a Windows 2003 server that logs the following events back-to-back-to-back (within span of about 1 minute).

642 (Success) - User Account Changed
627 (Failure) - Change Password Attempt
644 (Success) - User Account Locked Out
671 (Success) - User Account Unlocked

The events happen for each local account including Administrator, Guest, IWAM_, IUSR_, SUPPORT_, ASPNET, etc. successively.

I've checked for any scheduled tasks or other processes that might be firing off and causing this, but can't find any correlation.  It doesn't happen at the same time every time.  It usually happens over the weekend, but not always.

Any ideas?
Question by:seekoswm
    1 Comment

    Accepted Solution

    Well, after much research today, I've been able to track it down to a Microsoft Baseline Security Analyzer (MBSA) v1.2 scan that appears to be running.  I'm not sure why it is running at random intervals, but I ran it manually and got the same series of events I've been getting on the weekends.

    I found the following event in the Application log (around the time of the pervious failures) which tipped me off:

    Event Type:      Information
    Event Source:      MBSA
    Event Category:      None
    Event ID:      1
    Date:            11/9/2008
    Time:            12:30:51 AM
    User:            NT AUTHORITY\SYSTEM
    Computer:      SERVER1
    Security analysis complete.
    Scanned from
    Microsoft Baseline Security Analyzer version 1.2.3316.1.

    For more information, see Help and Support Center at

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Learn about cloud computing and its benefits for small business owners.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now