Multiple logon failures Advapi Logon type 5

Posted on 2010-09-08
Last Modified: 2012-05-10
Hello,  I have logon failures every minute in event viewer.  Logon type is 5, logon process advapi.  I traced the process id to services.exe.  I can't figure out which service is causing it. The username that it's using is a user's account on the domain.   I disabled FTP, sharepoint, and IIS services since they aren't being used anyway, and restarted the server.  Still no luck.  the Computer name is the server's name, but how can I trace which service is causing this?
Question by:seanrhudy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Expert Comment

ID: 33637032
can you explain more where are you getting this event? in domain controler?
can you see from which machine you are getting the failed logon attempt from?

Author Comment

ID: 33637395
I'm getting it on the domain controller, it's the only server.  It's coming from itself, the server.  It gives a process id of 416.  I used task manager and traced it to services.exe.  So it must be one of the services that is trying to authenticate but can't.  I checked all of the started services, and none of them are using this user account.  I'm not sure how to find out exactly which service is causing the issue.

Author Comment

ID: 33643070
It's the lsass.exe process that is causing the failure login events.  Could it be an lsass virus?
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Expert Comment

ID: 33648922
have you changed the admin password recently?
go to services and you can see what services are using credentials of admin or any other user.

Expert Comment

ID: 33648941
can you also post event the details of the event log?

Accepted Solution

seanrhudy earned 0 total points
ID: 33766818
This ended up being a rogue service that was trying to login.  

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
server crashed 2 82
Rdp printing 5 30
SSIS Paramater on start 2 56
Protecting Server 2003 against Ransomware 2 80
Learn about cloud computing and its benefits for small business owners.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question