Workgroup Share Audit Failure : Unknown user name of bad password

vernaldrich
vernaldrich used Ask the Experts™
on
I have a large windows 10 workgroup with one of the machines sharing files.  The user accounts on the local workstations are replicated on the "server", but with different passwords.  There are shares set up on the Win 10 "server" and Everyone is given Full Control. The user accounts local to the server are given permissions to the shared folders' acl using NTFS. Shares on the "server" are mapped to the local machines using different credentials.  
All has been well for a very long time.
Recently, an individual has started getting logon failures that seemed to have begun when her password was changed both on her workstation, and on the server,  (this has been successfully done to a couple of others so far) then the mapped drives were disconnected and re-created using the new different credentials.
The first time the errors started occurring, I verified settings on the server, went to the workstation, and repeated the process carefully, drives mapped correctly, restarted the machine, logged on to see drive mappings still there, opened a few folders on each drive, and then checked the security logs on the "server" again, SUCCESS all around. TGIF!
Then comes Monday, and the Security log is inundated again.
I've gone through this scenario twice.  The user involved is able to access files on the share, but at very slow speeds.
The Event ID is 4625 and the logon is incrementing the source port by one in each successive attempt.
I have Webroot monitoring the machines, so I don't believe it's malicious.  What's the best course of action for tracking this down?  
This is the Event xml code from a single Audit Failure:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2019-12-23T14:44:44.091375800Z" />
    <EventRecordID>100297783</EventRecordID>
    <Correlation ActivityID="{9dd5667a-b6c5-0001-8866-d59dc5b6d501}" />
    <Execution ProcessID="716" ThreadID="764" />
    <Channel>Security</Channel>
    <Computer>”Server”</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">User Name</Data>
    <Data Name="TargetDomainName">USER-PC</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">USER-PC</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.2.97</Data>
    <Data Name="IpPort">61707</Data>
  </EventData>
</Event>
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
network engineer
Commented:
I believe I found the solution:

This Event is usually caused by a stale hidden credential.

From a command prompt run: psexec -i -s -d cmd.exe
From the new cmd window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial