Solved

Event ID's 529 then 539 over and over

Posted on 2010-08-25
9
944 Views
Last Modified: 2013-12-04
A macine on the floor listed event 529 3 times for my account, locking it out.  Then, for almost an hour it listed event 539's.  Teh User in the events is SYSTEM.  However  under the event description the User Name is my account.  I looked at the services msc on the box but no services listed my account.  the event 529 description is as follows...
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/25/2010
Time:            3:52:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      that-computer
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      my-user
       Domain:            my-domain
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      that-computer

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The 539 details follow...


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            8/25/2010
Time:            3:52:43 PM
User:            NT AUTHORITY\SYSTEM
Computer:      that-computer
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      My-account
       Domain:      My-Domain
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      That-computer

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I think that some applications has the user ID cached and i've since changed my pword, but I can find it.

0
Comment
Question by:whoam
9 Comments
 
LVL 8

Expert Comment

by:SylvainDrapeau
Comment Utility
Hello !

Using your terms, search the registry on "That-computer" for "My-account".

Check also for scheduled tasks.

Have you connected a network drive while under that computer's user account but using your account ?

Go to Control Panel -> User account and clear the saved password list (for the local user's account).

Can't think of anyting else.

Syldra
0
 
LVL 5

Expert Comment

by:anil_kumar137
Comment Utility
0
 
LVL 4

Expert Comment

by:Prabhaheren
Comment Utility
have you setup a shared folder/file using your credentials. or any applications running with your privilege, then you will have this events registered on the machine.
0
 

Author Comment

by:whoam
Comment Utility
My account was under CONTROL PANEL>USER ACCOUNT.  It was listed a "Debug User".  Have no idea what that is, but my thought is something had an 'under the hood' error and tried to summon the debug user.  I removed it and we'll see.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:whoam
Comment Utility
I didn't find anthing in the regsistry othe than I was the ALTDEFAULTNUSERNAME. I let that alone.
0
 
LVL 8

Expert Comment

by:SylvainDrapeau
Comment Utility
Ok, when logged as the local user (not your account) go to Control Panel -> User Account -> Advanced Settings (second tab) -> Manage passwords (first button). Click on "Properties" on each of the connections listed there and see if your account is listed. If it is, delete that entry.

You could also do at the command prompt "net use > netuse.txt" then "net use * /delete /y", this will write the list of mapped drives to the file "netuse.txt" and unmap all drives, even persistent ones. If a drive was mapped using your credentials, it will disappear. Use the netuse.txt file to recreate mappings that are not created by domain settings and scripts.

Syldra
0
 

Author Comment

by:whoam
Comment Utility
Syldra,

I went through the control panel.  all blank.  drives are mapped by logon script.  it also deletes previously mapped drives to start.

I haven't seen anything yet.  I'm waiting for Friday, seems to be when I see it.  That of course point to a scheduled task, but non are listed.

Thanks
0
 
LVL 8

Accepted Solution

by:
SylvainDrapeau earned 500 total points
Comment Utility
Wait a second... it just occured to me that "Logon Type 2" is "Interactive", session 0, call it what you want but it's in no way a batch file, network drive or anything like that... which means it's one of several things happening. Either :

- a user is trying to logon as you (malicious user ?)
- a user is trying to logon as himself on a computer you just logged off and does not change the default username
- a user is trying to log via IP KVM (you have any of those ?)
- a user is trying to logon via RDP /admin or /console which logs to session 0

Look if event ID 528 is logged right after 529 with the same computer... that should point you to the right user... with only circumstantial evidence though.

Syldra
0
 

Author Comment

by:whoam
Comment Utility
As the incident has not recurred I can't really TS this further.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now