Failure Audit Security logs Event ID 529 occurring every 5 minutes

Posted on 2012-08-24
Last Modified: 2012-08-27
I am getting a security log "failure audit" (every 5 minutes like clock-work).

Event Properties


Date: xx/xx/xxxx              Source: Security
Time: xx:xx:xxAM             Category: Logon/Logoff
Type: Failure Aud              Event ID:   529
Computer:   "ServerName"

Logon Failure:

    Reason:        Unknown user name or bad password
    User Name:   "Local admin user name"
    Domain:        "DomainName"
    Logon Type:   7
    Logon Process: Advapi
    Authentication Package:   Negotiate
    Workstation Name:         "ServerName"
    Caller User Name:            "ServerName$"
    Caller Domain:                 "DomainName"
    Caller Process ID:             2864
    Transited Services:  -      (nothing in this field)
    Source Network Address: -    (nothing in this field)
    Source Port:  -              (nothing in this field)
Question by:markc56
    LVL 52

    Accepted Solution

    Security Event 529 is logged for local user accounts

    Open a command prompt and type "tasklist /svc" without the quotes ... .scroll down and check which service\application is using PID 2864 (mentioned in the Audit log)

    Not sure if some Admin password is changed and not on the Application ?

    - Rancy
    LVL 52

    Expert Comment

    Is there any Scheduled task running every 5 minutes or application that tries to access some data every 5 minutes ..... maybe some changes needed on it ?

    - Rancy
    LVL 60

    Assisted Solution

    Looks like this

    The auth package stated negotiation and it is referring to kerberos checks.
    This problem occurs if you use a local user account to run the program and the WMI scripts that you use in the program require Administrators group membership verification. As mentioned by Rancy, can check out PID (it may changed if you reboot the station) to see the "culprit"
    LVL 3

    Author Comment

    Thanks for the feedback. I will not have access to the server until Monday (8/27), but I will check along these lines first thing and post.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    Join & Write a Comment

    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now