Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Multiple logon failures Advapi Logon type 5

Posted on 2010-09-08
6
Medium Priority
?
1,773 Views
Last Modified: 2012-05-10
Hello,  I have logon failures every minute in event viewer.  Logon type is 5, logon process advapi.  I traced the process id to services.exe.  I can't figure out which service is causing it. The username that it's using is a user's account on the domain.   I disabled FTP, sharepoint, and IIS services since they aren't being used anyway, and restarted the server.  Still no luck.  the Computer name is the server's name, but how can I trace which service is causing this?
0
Comment
Question by:Sean Rhudy
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:khaledf
ID: 33637032
can you explain more where are you getting this event? in domain controler?
can you see from which machine you are getting the failed logon attempt from?
0
 

Author Comment

by:Sean Rhudy
ID: 33637395
I'm getting it on the domain controller, it's the only server.  It's coming from itself, the server.  It gives a process id of 416.  I used task manager and traced it to services.exe.  So it must be one of the services that is trying to authenticate but can't.  I checked all of the started services, and none of them are using this user account.  I'm not sure how to find out exactly which service is causing the issue.
0
 

Author Comment

by:Sean Rhudy
ID: 33643070
It's the lsass.exe process that is causing the failure login events.  Could it be an lsass virus?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 9

Expert Comment

by:khaledf
ID: 33648922
have you changed the admin password recently?
go to services and you can see what services are using credentials of admin or any other user.
0
 
LVL 9

Expert Comment

by:khaledf
ID: 33648941
can you also post event the details of the event log?
0
 

Accepted Solution

by:
Sean Rhudy earned 0 total points
ID: 33766818
This ended up being a rogue service that was trying to login.  
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question