Solved

Multiple logon failures Advapi Logon type 5

Posted on 2010-09-08
6
1,405 Views
Last Modified: 2012-05-10
Hello,  I have logon failures every minute in event viewer.  Logon type is 5, logon process advapi.  I traced the process id to services.exe.  I can't figure out which service is causing it. The username that it's using is a user's account on the domain.   I disabled FTP, sharepoint, and IIS services since they aren't being used anyway, and restarted the server.  Still no luck.  the Computer name is the server's name, but how can I trace which service is causing this?
0
Comment
Question by:seanrhudy
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:khaledf
ID: 33637032
can you explain more where are you getting this event? in domain controler?
can you see from which machine you are getting the failed logon attempt from?
0
 

Author Comment

by:seanrhudy
ID: 33637395
I'm getting it on the domain controller, it's the only server.  It's coming from itself, the server.  It gives a process id of 416.  I used task manager and traced it to services.exe.  So it must be one of the services that is trying to authenticate but can't.  I checked all of the started services, and none of them are using this user account.  I'm not sure how to find out exactly which service is causing the issue.
0
 

Author Comment

by:seanrhudy
ID: 33643070
It's the lsass.exe process that is causing the failure login events.  Could it be an lsass virus?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 9

Expert Comment

by:khaledf
ID: 33648922
have you changed the admin password recently?
go to services and you can see what services are using credentials of admin or any other user.
0
 
LVL 9

Expert Comment

by:khaledf
ID: 33648941
can you also post event the details of the event log?
0
 

Accepted Solution

by:
seanrhudy earned 0 total points
ID: 33766818
This ended up being a rogue service that was trying to login.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question