Failed Logons hammering Workgroup file server (Win 10)

vernaldrich
vernaldrich used Ask the Experts™
on
I need to know a process for isolating the source (process or application) that is generating thousands of failed logons (Event ID 4625) per minute on a win 10 workgroup file server.  Within 10 - 30 minutes of logging onto a win 10 workstation, the account used by the logged on user's profile to logon to the workgroup file server starts generating failed logons ( see details of Event 4624 at end ). The fails don't start immediately. There are 2 network drives mapped to the file server using the same credentials and both work perfectly.  Office 365 is installed using online Exchange. I've reinstalled Office365, remapped her network drives, and deleted stale credentials from the workstation, nothing seems to help.  I moved her to a laptop and installed office365 there, mapped the drives, and the errors have stopped. Does anyone have a clear process for isolating the source of these errors?

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:           renee aldrich
      Account Domain:            RENEE-PC

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC000006A

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      RENEE-PC
      Source Network Address:      192.168.2.97
      Source Port:            50414

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Paul MacDonaldDirector, Information Systems

Commented:
I'd log in as a different user to see if that had an effect.  I might boot into Safe Mode for the same reason.

WireShark make give you some information about the source of the traffic too. https://www.wireshark.org/
vernaldrichnetwork engineer

Author

Commented:
Thanks Paul. Logging in as a different user does have an effect; the logon attempts stop.  So it's definitely something associated with the specific user profile. I've completely removed and reinstalled Office365, so there's no underlying processes there.
Wireshark is where I'm going next. I hope it's intuitive...Can I run wireshark on the machine that's generating the logon attempts?
Director, Information Systems
Commented:
If you rename the extant profile, and have the user log in and create a new one, does the problem persist?

Yes, you can run Wireshark at either end.  It may nor may not pinpoint the application that's causing the problem, but it can help make sure you've addressed the issue.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

vernaldrichnetwork engineer

Author

Commented:
Yes.  The 4625 Events stopped with a new profile creation.  I've worked out the Office 365 installation and am planning to move the user's files over; docs, favorites, etc.  Any cautionary advice before I begin Paul?   I don't plan to move any known executables or the NTUSER files.
Thanks for your help.
Paul MacDonaldDirector, Information Systems

Commented:
I would check periodically, as you move applications from one profile to the other, to see if the problem crops up again.  Other than that, there's no penalty for creating and using the new profile.  You don't even have to get rid of the old one any time soon, in case you want to revisit the problem again to troubleshoot it.

Always happy to help.
vernaldrichnetwork engineer

Author

Commented:
Got it.  Godspeed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial