Event ID's 529 then 539 over and over

A macine on the floor listed event 529 3 times for my account, locking it out.  Then, for almost an hour it listed event 539's.  Teh User in the events is SYSTEM.  However  under the event description the User Name is my account.  I looked at the services msc on the box but no services listed my account.  the event 529 description is as follows...
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            8/25/2010
Time:            3:52:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      that-computer
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      my-user
       Domain:            my-domain
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      that-computer

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The 539 details follow...


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            8/25/2010
Time:            3:52:43 PM
User:            NT AUTHORITY\SYSTEM
Computer:      that-computer
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      My-account
       Domain:      My-Domain
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      That-computer

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I think that some applications has the user ID cached and i've since changed my pword, but I can find it.

whoamAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
SylvainDrapeauConnect With a Mentor Commented:
Wait a second... it just occured to me that "Logon Type 2" is "Interactive", session 0, call it what you want but it's in no way a batch file, network drive or anything like that... which means it's one of several things happening. Either :

- a user is trying to logon as you (malicious user ?)
- a user is trying to logon as himself on a computer you just logged off and does not change the default username
- a user is trying to log via IP KVM (you have any of those ?)
- a user is trying to logon via RDP /admin or /console which logs to session 0

Look if event ID 528 is logged right after 529 with the same computer... that should point you to the right user... with only circumstantial evidence though.

Syldra
0
 
SylvainDrapeauCommented:
Hello !

Using your terms, search the registry on "That-computer" for "My-account".

Check also for scheduled tasks.

Have you connected a network drive while under that computer's user account but using your account ?

Go to Control Panel -> User account and clear the saved password list (for the local user's account).

Can't think of anyting else.

Syldra
0
 
anil_kumar137Commented:
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
PrabhaherenCommented:
have you setup a shared folder/file using your credentials. or any applications running with your privilege, then you will have this events registered on the machine.
0
 
whoamAuthor Commented:
My account was under CONTROL PANEL>USER ACCOUNT.  It was listed a "Debug User".  Have no idea what that is, but my thought is something had an 'under the hood' error and tried to summon the debug user.  I removed it and we'll see.
0
 
whoamAuthor Commented:
I didn't find anthing in the regsistry othe than I was the ALTDEFAULTNUSERNAME. I let that alone.
0
 
SylvainDrapeauCommented:
Ok, when logged as the local user (not your account) go to Control Panel -> User Account -> Advanced Settings (second tab) -> Manage passwords (first button). Click on "Properties" on each of the connections listed there and see if your account is listed. If it is, delete that entry.

You could also do at the command prompt "net use > netuse.txt" then "net use * /delete /y", this will write the list of mapped drives to the file "netuse.txt" and unmap all drives, even persistent ones. If a drive was mapped using your credentials, it will disappear. Use the netuse.txt file to recreate mappings that are not created by domain settings and scripts.

Syldra
0
 
whoamAuthor Commented:
Syldra,

I went through the control panel.  all blank.  drives are mapped by logon script.  it also deletes previously mapped drives to start.

I haven't seen anything yet.  I'm waiting for Friday, seems to be when I see it.  That of course point to a scheduled task, but non are listed.

Thanks
0
 
whoamAuthor Commented:
As the incident has not recurred I can't really TS this further.
0
All Courses

From novice to tech pro — start learning today.