Windows 7 login failure

I have searched high and low but I cannot find why this login failure is continually generated when the domain user logs on (user1 is an administrator on the local machine).  The system is Windows 7 x64 in a 2003 domain.  The guest account is renamed per GPO (old-guest-account).  I have searched high and low, ran scans, etc.  Can someone point me in a worthy direction?

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/10/2010 10:41:06 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DESKTOP1.mydomain.local
Description:
An account failed to log on.

Subject:
      Security ID:            MYDOMAIN\user1
      Account Name:            user1
      Account Domain:            MYDOMAIN
      Logon ID:            0x66c4d7a

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            old-guest-account
      Account Domain:            DESKTOP1

Failure Information:
      Failure Reason:            Account currently disabled.
      Status:                  0xc000006e
      Sub Status:            0xc0000072

Process Information:
      Caller Process ID:      0x964
      Caller Process Name:      C:\Windows\explorer.exe

Network Information:
      Workstation Name:      DESKTOP1
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
VigilantServicesAsked:
Who is Participating?
 
dccjConnect With a Mentor Commented:
Try this and let's see if it helps.

First:
1.      Launch Windows Media Player and hit on Alt Key on keyboard.
2.      Click Tools and click Options.
3.      Now click on Network Tab.
4.      Uncheck Allow the player to receive multicast streams.
5.      Click Apply and click OK.

Then set "Windows Media Player Network Sharing Service" startup to manual in services.msc. Be sure to stop the service or reboot. Let's see if that doesn't fix it.
0
 
mrmark75Commented:
From What I can see it looks like the account is Disabled. Possibly a lockout after too many attempts.
0
 
VigilantServicesAuthor Commented:
Yes, but how do I track down where it came from so I can fix it?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
mrmark75Commented:
go to start/run type:   dsa.msc  when the snap in launches go to your user right click and choose properties then go to the account tab and look in the middle there will be a check box that says account is locked if it is then uncheck it..
0
 
VigilantServicesAuthor Commented:
The user1 account is not locked.  User can log on and work normally, but it is the only PC that continually has failed login messages in the security event logs.  The primary issue I have is, why is the user1 account generating these failed logins on the renamed, disabled guest account.

There is additional information in these event logs.  Sometimes they come across with a security ID of S-1-0-0 instead of NULL SID.  They are always associated with explorer.exe, so I am assuming something is starting up under the user's credential upon login.  I just can't find it (used Autoruns) or I am missing something.
0
 
dccjCommented:
Have you tried deleting the machine account on the server and re-adding it? Sometimes these things are more trouble to diagnose than replace.

Oh, also, have you verified that the time on the Win7 machine is within 5 minutes of the server? That is a must!
0
 
VigilantServicesAuthor Commented:
The machine account is and has been authenticating properly.  The time service is working properly.  The bottom line question is, I am thinking, how to track down what is trying to authenticate as the guest account (using the SID) from the logged in account via explorer.exe?
0
 
dccjCommented:
Ah, I see now. Sorry - didn't read that right.

I assume you did a net use. If there was some connection made in teh past that is persistent, and had used those credentials, it would still be trying to reconnect. Maybe an old printer connection?
0
 
VigilantServicesAuthor Commented:
Okay, watched tcpvew and process explorer, but saw nothing.  Watched the user rip CDs and events came across at the same time as the Rip button was pressed.  Using Windows Media Player 12.0.7600.16415.  Apparently ther culprit is WiMP.

Checked all possible settings but cannot find out why WiMP would be doing this?

Anyone?
0
 
dccjCommented:
Is there a shared media connection that was using the guest account?
0
 
VigilantServicesAuthor Commented:
There is no Library tab.  In the Library section, there are Organize, Stream, and Create Playlist choices on the menu bar.  Under Stream, all of the Streaming options are off.
0
 
dccjCommented:
Let me make sure I understand this. The guest is trying to log onto the server or onto the local machine (desktop1)?
0
 
VigilantServicesAuthor Commented:
If I read the event log information correctly, it appears that the logged on user (MYDOMAIN\user1) is trying to connect to the local machine (DESKTOP1) using the guest account credentials.  The application that is trying to make this connection is Windows Media Player when performing a CD Rip.
0
 
VigilantServicesAuthor Commented:
No, still doing it.  There is one other event associated with it and now I see they are coming across even when WiMP is not running.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/14/2010 7:15:30 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DESKTOP1.mydomain.local
Description:
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      old-guest-account
Source Workstation:      DESKTOP1
Error Code:      0xc0000072
0
 
dccjCommented:
Wow - this is a wierd one. I thought we had it with the WMP thing!

I guess the next step from here is using msconfig. If it happens frequently enough, it won't take too long.

I would start by turning off all non-Microsoft services except maybe antivirus and anything you can't live without for a short time. Also turn off all startups except the same list.

If you hit it, then it's a matter of careful elimination. If not, then it's something that is left over. Or it's a Microsoft servioce, but that would be wierd.

On a side note, you can see that renaming the guest account doesn't prevent access to it because tthe SID is still the same. Password protecting it is really the only way to make it secure.
0
 
VigilantServicesAuthor Commented:
1. Turned off all startup items (nVidia Control Panel, MS Sec Essentials, Comodo AV, HP LightScribe, Google Desktop, Citrix ICA Client, Adobe CS4 Service Mgr, and two undefined Lexmark printer apps).
2. Turned them all on by groups and tested.
3. Issue can not be replicated.

My best guess is that turning off "Allow the player to receive multicast streams" did the trick, but only after a reboot.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.