Solved

Multiple logon failures Advapi Logon type 5

Posted on 2010-09-08
6
1,538 Views
Last Modified: 2012-05-10
Hello,  I have logon failures every minute in event viewer.  Logon type is 5, logon process advapi.  I traced the process id to services.exe.  I can't figure out which service is causing it. The username that it's using is a user's account on the domain.   I disabled FTP, sharepoint, and IIS services since they aren't being used anyway, and restarted the server.  Still no luck.  the Computer name is the server's name, but how can I trace which service is causing this?
0
Comment
Question by:Sean Rhudy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:khaledf
ID: 33637032
can you explain more where are you getting this event? in domain controler?
can you see from which machine you are getting the failed logon attempt from?
0
 

Author Comment

by:Sean Rhudy
ID: 33637395
I'm getting it on the domain controller, it's the only server.  It's coming from itself, the server.  It gives a process id of 416.  I used task manager and traced it to services.exe.  So it must be one of the services that is trying to authenticate but can't.  I checked all of the started services, and none of them are using this user account.  I'm not sure how to find out exactly which service is causing the issue.
0
 

Author Comment

by:Sean Rhudy
ID: 33643070
It's the lsass.exe process that is causing the failure login events.  Could it be an lsass virus?
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 9

Expert Comment

by:khaledf
ID: 33648922
have you changed the admin password recently?
go to services and you can see what services are using credentials of admin or any other user.
0
 
LVL 9

Expert Comment

by:khaledf
ID: 33648941
can you also post event the details of the event log?
0
 

Accepted Solution

by:
Sean Rhudy earned 0 total points
ID: 33766818
This ended up being a rogue service that was trying to login.  
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question