Sean Rhudy
asked on
Multiple logon failures Advapi Logon type 5
Hello, I have logon failures every minute in event viewer. Logon type is 5, logon process advapi. I traced the process id to services.exe. I can't figure out which service is causing it. The username that it's using is a user's account on the domain. I disabled FTP, sharepoint, and IIS services since they aren't being used anyway, and restarted the server. Still no luck. the Computer name is the server's name, but how can I trace which service is causing this?
ASKER
I'm getting it on the domain controller, it's the only server. It's coming from itself, the server. It gives a process id of 416. I used task manager and traced it to services.exe. So it must be one of the services that is trying to authenticate but can't. I checked all of the started services, and none of them are using this user account. I'm not sure how to find out exactly which service is causing the issue.
ASKER
It's the lsass.exe process that is causing the failure login events. Could it be an lsass virus?
have you changed the admin password recently?
go to services and you can see what services are using credentials of admin or any other user.
go to services and you can see what services are using credentials of admin or any other user.
can you also post event the details of the event log?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
can you see from which machine you are getting the failed logon attempt from?