event ID 12294 in event log

Hi Experts,
I regularly get the following event ID in my SBS2011 server event log. I have read and understand this is something or someone trying to access the administrators account. I actually think it's possible that there is a service or process that that uses the administrator account, but is unable to login because the administrator password was changed a while back. Is there anyway to tell from the event what might be trying login using those credentials?

Event ID 12294 Directory-Services-SAM
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
LVL 2
ChiITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marwan OsmanCommented:
Hi,

you must first find out the computer from where logon attempts are initiated, so from your DC in the event viewer, filter for the event ID 4776 then click find and type the account name, the event may contains the computer name from when the failed authentication is happened using the concerned account
ChiITAuthor Commented:
Hi Marwan, my event log does not go back far enough, but, I did find the info below as part of the 12294 event. The server itself it listed as the computer, the rest of the info is listed below. Does this help? It says the user is system

logfile info
compdigit44Commented:
So the source of log in is coming for the DC am I understanding you correctly? On your servers have you checked all of your services to see if they are running under the administrator account
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

ChiITAuthor Commented:
That is correct it is the DC. I'll have to go through all of the services to see what they are logging in as. Is there anyway to tell from the event log what service it might be?
compdigit44Commented:
Have you reviewed the XML info for the event? Could you post it as well removing and sensitive information of course
ChiITAuthor Commented:
attached is the XML. Only the computer name and domainname were changed. The computer name is the server, which is pretty much everything from AD, Exchange, IIS, file print, etc.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
  <EventID>12294</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2015-05-31T07:56:43.392979900Z" />
  <EventRecordID>5524104</EventRecordID>
  <Correlation />
  <Execution ProcessID="372" ThreadID="1260" />
  <Channel>System</Channel>
  <Computer>SERVERNAME.domainname.local</Computer>
  <Security UserID="S-1-5-18" />
  </System>
- <EventData Name="SAMMSG_LOCKOUT_NOT_UPDATED">
  <Data Name="UserName">Administrator</Data>
  <Binary>A50200C0</Binary>
  </EventData>
  </Event>
Marwan OsmanCommented:
Hi Sir

In the task manager, search in the processes for the process ID 372, it may be the application which causes the problem
ChiITAuthor Commented:
372 currently shows lsass.exe, local security authority process......
Marwan OsmanCommented:
Is it running without authentication?
ChiITAuthor Commented:
more info...which relate to the following services

Hard to read in the capture, but its

KDC - kerberos key distribution center
KeyIso - CNG key isolation
services.PNG
compdigit44Commented:
Next recommendation is to install Network Monitor on the server and let it run for a couple of minutes or until the event id happens that parse the capture for the time frame of the event ID and see if you see anything suspicious.

BTW, have you changed your admin accounts password recently
Marwan OsmanCommented:
Stop it and run it again, then see if the event is logged or not
compdigit44Commented:
Sorry for my response before ..  As i was typing it, I did not see the replies others posted..
Marwan OsmanCommented:
Also go to services under administrative tools and arrange them by the "logon as" and check the services which are using the credentials
ChiITAuthor Commented:
The admin password was changed, about a year ago..This isn't new per se, just something I'm getting around to looking at, so its entirely possible that it started happening when I changed the password. That event doesn't happen constantly, so the network monitor would have to run for a while.

Will check on services and see what is using that login credential...
ChiITAuthor Commented:
At the moment, no services are using administrator credential in services. Many local system, network system, etc, but none as administrator.
compdigit44Commented:
You checked for viruses correct?

https://support.microsoft.com/en-us/kb/887433
ChiITAuthor Commented:
correct. Vipre does a deep scan every night, but I also manually kicked of a scan and seperately ran malwarebytes and everything comes back clean.
compdigit44Commented:
I know SBS have a lot of integrated services... you checked IIS, Exchange SQL etc...

Scheduled task?

Do you remember the old password? May be reset it to the old password just to see if it stops the warning  to confirm the password change did cause the warning message then change the password again and continue to look for the source
ChiITAuthor Commented:
You are right that SBS has a lot of integrated services...I'll have to go through everything slowly to see. The option of changing back isn't really an option. I thought it might be possible from the event log event to see what was making the call, sounds like it's not possible unfortunately.
Marwan OsmanCommented:
Marwan OsmanCommented:
Make sure that there is not a schedule task running on that server, also check the  rdp session to this server from the terminal services, log off the idled sessions
compdigit44Commented:
Stupid question but has the server been rebooted since the password change?
ChiITAuthor Commented:
A full virus scan runs weekly, I forced a full scan this week in addition to running malwarebytes as well, all clean. I'll take a look at the task now. And no such thing as a stupid question, yes rebooted multiple times since. Let check scheduled tasks and I'll get back to you...
ChiITAuthor Commented:
So I just looked, there are no tasks that seem to fit. The last time I saw that error was on 5-31, and if if it was a task, I would have expected to see a last run of 5-31 since it hasn't happened since. I'm starting to think it may be an IIS password issue. When the admin pass was changed, I'm pretty sure all of the IIS application pools were not changed. I'm not sure why those would generate that error, but that's the only thing I can think of. I relooked at the event log and it does say the user making the call is SYSTEM and the account is Administrator.

Besides IIS, can anyone think of anything other SYSTEM call on SBS2011 that might be trying to use the admin account?
ChiITAuthor Commented:
A few of the events were logged last night, I just checked the PID (372) and it is currently on these services. Do any of these need the administrator password to authenticate?
services.PNG
Marwan OsmanCommented:
Restart them and see if the problematic event will be logged Or not
compdigit44Commented:
have you restarted the server since the last password change? Any SQL job running under the context of the administrator account or making external connection using this account?
compdigit44Commented:
Have you tried to install Process Monitor to get a better of view of what services, files registry keys are being accessed in real-time?

https://technet.microsoft.com/en-us/library/bb896645.aspx
Marwan OsmanCommented:
please see the comments in this link

http://www.eventid.net/display.asp?eventid=12294&eventno=875&source=SAM&phase=1

there is many comments and each one list a different cause of this issue, please make sure to check every comment

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Commented:
Nice post Marwan Osman..

The comment below in the article maybe helpful...


Anonymous
Per a recent call with Microsoft, open the “Netlogon.log” file (in W2K, it is in “C:\WINNT\Debug”). Failed logon attempts will be noted here; look for the Error code 0xC000006A returned, which indicates a bad password. The system named is the one you should focus on as possibly running a service that is attempting to use an incorrect password to start. In our case, Dell IT Assistant was using a bad administrator password, and every status poll was generating a SAM error.
ChiITAuthor Commented:
Quick update. logging to Netlogon was not enabled. I enabled the logging and am waiting for the next event. There has not been one since 6/8. As soon as one gets logged I'll take a look at the .log file and report back.
compdigit44Commented:
Thanks for the update
Marwan OsmanCommented:
thank you
ChiITAuthor Commented:
Hi all, no new events since 6-8, I'd like to leave this open for another day or so to see if it pops up, if not I'll close this and reopen if additional help is needed.
ChiITAuthor Commented:
I'm going to go ahead and close this. It hasn't happened since the 8th, I have enabled the log file and feel that will allow me to pinpoint what's using that login when it does happen. thanks for the input everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.