?
Solved

Windows 7 login failure

Posted on 2010-09-11
16
Medium Priority
?
2,189 Views
Last Modified: 2013-12-04
I have searched high and low but I cannot find why this login failure is continually generated when the domain user logs on (user1 is an administrator on the local machine).  The system is Windows 7 x64 in a 2003 domain.  The guest account is renamed per GPO (old-guest-account).  I have searched high and low, ran scans, etc.  Can someone point me in a worthy direction?

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/10/2010 10:41:06 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DESKTOP1.mydomain.local
Description:
An account failed to log on.

Subject:
      Security ID:            MYDOMAIN\user1
      Account Name:            user1
      Account Domain:            MYDOMAIN
      Logon ID:            0x66c4d7a

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            old-guest-account
      Account Domain:            DESKTOP1

Failure Information:
      Failure Reason:            Account currently disabled.
      Status:                  0xc000006e
      Sub Status:            0xc0000072

Process Information:
      Caller Process ID:      0x964
      Caller Process Name:      C:\Windows\explorer.exe

Network Information:
      Workstation Name:      DESKTOP1
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
Comment
Question by:VigilantServices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
16 Comments
 
LVL 3

Expert Comment

by:mrmark75
ID: 33653922
From What I can see it looks like the account is Disabled. Possibly a lockout after too many attempts.
0
 

Author Comment

by:VigilantServices
ID: 33653963
Yes, but how do I track down where it came from so I can fix it?
0
 
LVL 3

Expert Comment

by:mrmark75
ID: 33655721
go to start/run type:   dsa.msc  when the snap in launches go to your user right click and choose properties then go to the account tab and look in the middle there will be a check box that says account is locked if it is then uncheck it..
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:VigilantServices
ID: 33657140
The user1 account is not locked.  User can log on and work normally, but it is the only PC that continually has failed login messages in the security event logs.  The primary issue I have is, why is the user1 account generating these failed logins on the renamed, disabled guest account.

There is additional information in these event logs.  Sometimes they come across with a security ID of S-1-0-0 instead of NULL SID.  They are always associated with explorer.exe, so I am assuming something is starting up under the user's credential upon login.  I just can't find it (used Autoruns) or I am missing something.
0
 
LVL 3

Expert Comment

by:dccj
ID: 33657159
Have you tried deleting the machine account on the server and re-adding it? Sometimes these things are more trouble to diagnose than replace.

Oh, also, have you verified that the time on the Win7 machine is within 5 minutes of the server? That is a must!
0
 

Author Comment

by:VigilantServices
ID: 33657250
The machine account is and has been authenticating properly.  The time service is working properly.  The bottom line question is, I am thinking, how to track down what is trying to authenticate as the guest account (using the SID) from the logged in account via explorer.exe?
0
 
LVL 3

Expert Comment

by:dccj
ID: 33657526
Ah, I see now. Sorry - didn't read that right.

I assume you did a net use. If there was some connection made in teh past that is persistent, and had used those credentials, it would still be trying to reconnect. Maybe an old printer connection?
0
 

Author Comment

by:VigilantServices
ID: 33658699
Okay, watched tcpvew and process explorer, but saw nothing.  Watched the user rip CDs and events came across at the same time as the Rip button was pressed.  Using Windows Media Player 12.0.7600.16415.  Apparently ther culprit is WiMP.

Checked all possible settings but cannot find out why WiMP would be doing this?

Anyone?
0
 
LVL 3

Expert Comment

by:dccj
ID: 33659068
Is there a shared media connection that was using the guest account?
0
 

Author Comment

by:VigilantServices
ID: 33663497
There is no Library tab.  In the Library section, there are Organize, Stream, and Create Playlist choices on the menu bar.  Under Stream, all of the Streaming options are off.
0
 
LVL 3

Expert Comment

by:dccj
ID: 33663951
Let me make sure I understand this. The guest is trying to log onto the server or onto the local machine (desktop1)?
0
 

Author Comment

by:VigilantServices
ID: 33665037
If I read the event log information correctly, it appears that the logged on user (MYDOMAIN\user1) is trying to connect to the local machine (DESKTOP1) using the guest account credentials.  The application that is trying to make this connection is Windows Media Player when performing a CD Rip.
0
 
LVL 3

Accepted Solution

by:
dccj earned 1000 total points
ID: 33672384
Try this and let's see if it helps.

First:
1.      Launch Windows Media Player and hit on Alt Key on keyboard.
2.      Click Tools and click Options.
3.      Now click on Network Tab.
4.      Uncheck Allow the player to receive multicast streams.
5.      Click Apply and click OK.

Then set "Windows Media Player Network Sharing Service" startup to manual in services.msc. Be sure to stop the service or reboot. Let's see if that doesn't fix it.
0
 

Author Comment

by:VigilantServices
ID: 33673045
No, still doing it.  There is one other event associated with it and now I see they are coming across even when WiMP is not running.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/14/2010 7:15:30 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DESKTOP1.mydomain.local
Description:
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      old-guest-account
Source Workstation:      DESKTOP1
Error Code:      0xc0000072
0
 
LVL 3

Expert Comment

by:dccj
ID: 33673277
Wow - this is a wierd one. I thought we had it with the WMP thing!

I guess the next step from here is using msconfig. If it happens frequently enough, it won't take too long.

I would start by turning off all non-Microsoft services except maybe antivirus and anything you can't live without for a short time. Also turn off all startups except the same list.

If you hit it, then it's a matter of careful elimination. If not, then it's something that is left over. Or it's a Microsoft servioce, but that would be wierd.

On a side note, you can see that renaming the guest account doesn't prevent access to it because tthe SID is still the same. Password protecting it is really the only way to make it secure.
0
 

Author Comment

by:VigilantServices
ID: 33677251
1. Turned off all startup items (nVidia Control Panel, MS Sec Essentials, Comodo AV, HP LightScribe, Google Desktop, Citrix ICA Client, Adobe CS4 Service Mgr, and two undefined Lexmark printer apps).
2. Turned them all on by groups and tested.
3. Issue can not be replicated.

My best guess is that turning off "Allow the player to receive multicast streams" did the trick, but only after a reboot.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no backā€¦
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question