Solved

Windows 7 login failure

Posted on 2010-09-11
16
2,061 Views
Last Modified: 2013-12-04
I have searched high and low but I cannot find why this login failure is continually generated when the domain user logs on (user1 is an administrator on the local machine).  The system is Windows 7 x64 in a 2003 domain.  The guest account is renamed per GPO (old-guest-account).  I have searched high and low, ran scans, etc.  Can someone point me in a worthy direction?

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/10/2010 10:41:06 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DESKTOP1.mydomain.local
Description:
An account failed to log on.

Subject:
      Security ID:            MYDOMAIN\user1
      Account Name:            user1
      Account Domain:            MYDOMAIN
      Logon ID:            0x66c4d7a

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            old-guest-account
      Account Domain:            DESKTOP1

Failure Information:
      Failure Reason:            Account currently disabled.
      Status:                  0xc000006e
      Sub Status:            0xc0000072

Process Information:
      Caller Process ID:      0x964
      Caller Process Name:      C:\Windows\explorer.exe

Network Information:
      Workstation Name:      DESKTOP1
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
Comment
Question by:VigilantServices
  • 8
  • 6
  • 2
16 Comments
 
LVL 3

Expert Comment

by:mrmark75
ID: 33653922
From What I can see it looks like the account is Disabled. Possibly a lockout after too many attempts.
0
 

Author Comment

by:VigilantServices
ID: 33653963
Yes, but how do I track down where it came from so I can fix it?
0
 
LVL 3

Expert Comment

by:mrmark75
ID: 33655721
go to start/run type:   dsa.msc  when the snap in launches go to your user right click and choose properties then go to the account tab and look in the middle there will be a check box that says account is locked if it is then uncheck it..
0
 

Author Comment

by:VigilantServices
ID: 33657140
The user1 account is not locked.  User can log on and work normally, but it is the only PC that continually has failed login messages in the security event logs.  The primary issue I have is, why is the user1 account generating these failed logins on the renamed, disabled guest account.

There is additional information in these event logs.  Sometimes they come across with a security ID of S-1-0-0 instead of NULL SID.  They are always associated with explorer.exe, so I am assuming something is starting up under the user's credential upon login.  I just can't find it (used Autoruns) or I am missing something.
0
 
LVL 3

Expert Comment

by:dccj
ID: 33657159
Have you tried deleting the machine account on the server and re-adding it? Sometimes these things are more trouble to diagnose than replace.

Oh, also, have you verified that the time on the Win7 machine is within 5 minutes of the server? That is a must!
0
 

Author Comment

by:VigilantServices
ID: 33657250
The machine account is and has been authenticating properly.  The time service is working properly.  The bottom line question is, I am thinking, how to track down what is trying to authenticate as the guest account (using the SID) from the logged in account via explorer.exe?
0
 
LVL 3

Expert Comment

by:dccj
ID: 33657526
Ah, I see now. Sorry - didn't read that right.

I assume you did a net use. If there was some connection made in teh past that is persistent, and had used those credentials, it would still be trying to reconnect. Maybe an old printer connection?
0
 

Author Comment

by:VigilantServices
ID: 33658699
Okay, watched tcpvew and process explorer, but saw nothing.  Watched the user rip CDs and events came across at the same time as the Rip button was pressed.  Using Windows Media Player 12.0.7600.16415.  Apparently ther culprit is WiMP.

Checked all possible settings but cannot find out why WiMP would be doing this?

Anyone?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 3

Expert Comment

by:dccj
ID: 33659068
Is there a shared media connection that was using the guest account?
0
 

Author Comment

by:VigilantServices
ID: 33663497
There is no Library tab.  In the Library section, there are Organize, Stream, and Create Playlist choices on the menu bar.  Under Stream, all of the Streaming options are off.
0
 
LVL 3

Expert Comment

by:dccj
ID: 33663951
Let me make sure I understand this. The guest is trying to log onto the server or onto the local machine (desktop1)?
0
 

Author Comment

by:VigilantServices
ID: 33665037
If I read the event log information correctly, it appears that the logged on user (MYDOMAIN\user1) is trying to connect to the local machine (DESKTOP1) using the guest account credentials.  The application that is trying to make this connection is Windows Media Player when performing a CD Rip.
0
 
LVL 3

Accepted Solution

by:
dccj earned 250 total points
ID: 33672384
Try this and let's see if it helps.

First:
1.      Launch Windows Media Player and hit on Alt Key on keyboard.
2.      Click Tools and click Options.
3.      Now click on Network Tab.
4.      Uncheck Allow the player to receive multicast streams.
5.      Click Apply and click OK.

Then set "Windows Media Player Network Sharing Service" startup to manual in services.msc. Be sure to stop the service or reboot. Let's see if that doesn't fix it.
0
 

Author Comment

by:VigilantServices
ID: 33673045
No, still doing it.  There is one other event associated with it and now I see they are coming across even when WiMP is not running.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/14/2010 7:15:30 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DESKTOP1.mydomain.local
Description:
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      old-guest-account
Source Workstation:      DESKTOP1
Error Code:      0xc0000072
0
 
LVL 3

Expert Comment

by:dccj
ID: 33673277
Wow - this is a wierd one. I thought we had it with the WMP thing!

I guess the next step from here is using msconfig. If it happens frequently enough, it won't take too long.

I would start by turning off all non-Microsoft services except maybe antivirus and anything you can't live without for a short time. Also turn off all startups except the same list.

If you hit it, then it's a matter of careful elimination. If not, then it's something that is left over. Or it's a Microsoft servioce, but that would be wierd.

On a side note, you can see that renaming the guest account doesn't prevent access to it because tthe SID is still the same. Password protecting it is really the only way to make it secure.
0
 

Author Comment

by:VigilantServices
ID: 33677251
1. Turned off all startup items (nVidia Control Panel, MS Sec Essentials, Comodo AV, HP LightScribe, Google Desktop, Citrix ICA Client, Adobe CS4 Service Mgr, and two undefined Lexmark printer apps).
2. Turned them all on by groups and tested.
3. Issue can not be replicated.

My best guess is that turning off "Allow the player to receive multicast streams" did the trick, but only after a reboot.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now