Solved

Event ID's 529 then 539 over and over

Posted on 2010-08-25
9
949 Views
Last Modified: 2013-12-04
A macine on the floor listed event 529 3 times for my account, locking it out.  Then, for almost an hour it listed event 539's.  Teh User in the events is SYSTEM.  However  under the event description the User Name is my account.  I looked at the services msc on the box but no services listed my account.  the event 529 description is as follows...
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/25/2010
Time:            3:52:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      that-computer
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      my-user
       Domain:            my-domain
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      that-computer

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The 539 details follow...


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            8/25/2010
Time:            3:52:43 PM
User:            NT AUTHORITY\SYSTEM
Computer:      that-computer
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      My-account
       Domain:      My-Domain
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      That-computer

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I think that some applications has the user ID cached and i've since changed my pword, but I can find it.

0
Comment
Question by:whoam
9 Comments
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33527710
Hello !

Using your terms, search the registry on "That-computer" for "My-account".

Check also for scheduled tasks.

Have you connected a network drive while under that computer's user account but using your account ?

Go to Control Panel -> User account and clear the saved password list (for the local user's account).

Can't think of anyting else.

Syldra
0
 
LVL 5

Expert Comment

by:anil_kumar137
ID: 33529165
0
 
LVL 4

Expert Comment

by:Prabhaheren
ID: 33539562
have you setup a shared folder/file using your credentials. or any applications running with your privilege, then you will have this events registered on the machine.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:whoam
ID: 33547369
My account was under CONTROL PANEL>USER ACCOUNT.  It was listed a "Debug User".  Have no idea what that is, but my thought is something had an 'under the hood' error and tried to summon the debug user.  I removed it and we'll see.
0
 

Author Comment

by:whoam
ID: 33547389
I didn't find anthing in the regsistry othe than I was the ALTDEFAULTNUSERNAME. I let that alone.
0
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33559931
Ok, when logged as the local user (not your account) go to Control Panel -> User Account -> Advanced Settings (second tab) -> Manage passwords (first button). Click on "Properties" on each of the connections listed there and see if your account is listed. If it is, delete that entry.

You could also do at the command prompt "net use > netuse.txt" then "net use * /delete /y", this will write the list of mapped drives to the file "netuse.txt" and unmap all drives, even persistent ones. If a drive was mapped using your credentials, it will disappear. Use the netuse.txt file to recreate mappings that are not created by domain settings and scripts.

Syldra
0
 

Author Comment

by:whoam
ID: 33563443
Syldra,

I went through the control panel.  all blank.  drives are mapped by logon script.  it also deletes previously mapped drives to start.

I haven't seen anything yet.  I'm waiting for Friday, seems to be when I see it.  That of course point to a scheduled task, but non are listed.

Thanks
0
 
LVL 8

Accepted Solution

by:
SylvainDrapeau earned 500 total points
ID: 33563735
Wait a second... it just occured to me that "Logon Type 2" is "Interactive", session 0, call it what you want but it's in no way a batch file, network drive or anything like that... which means it's one of several things happening. Either :

- a user is trying to logon as you (malicious user ?)
- a user is trying to logon as himself on a computer you just logged off and does not change the default username
- a user is trying to log via IP KVM (you have any of those ?)
- a user is trying to logon via RDP /admin or /console which logs to session 0

Look if event ID 528 is logged right after 529 with the same computer... that should point you to the right user... with only circumstantial evidence though.

Syldra
0
 

Author Comment

by:whoam
ID: 33675399
As the incident has not recurred I can't really TS this further.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question