Avatar of NAZ1000
NAZ1000
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Tracing Windows Server logon attempts

A Window 2008 R2 Server (due for imminent replacement) is generating attempted failed ogon events for administrator account multiple times per second (eventID 4776).

Any way I can find out whats causing this ? is there malware on the Lan ?

Ive temporarily tried disabling administrator account but events still appearing.


The computer attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    administrator
Source Workstation:    
Error Code:    0xc000006a

Windows OSNetworkingWindows Server 2008Security

Avatar of undefined
Last Comment
NAZ1000

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Dr. Klahn

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
NAZ1000

ASKER
Thank you for the quick response - I've just tried this but unsure what I'm looking for ?- 10.0.1.5 is the server. Should I kill any of the processes ? (no users are working at present)


arnold

What is the logon type?

Disable teamviewer and see if the event goes away to confirm.
NAZ1000

ASKER
I've killed Teamviewer and event still occurring - heres the details of one (administrator account currently disabled)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          02/10/2021 10:44:24
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      (REMOVED).local
Description:
The computer attempted to validate the credentials for an account.

Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:   administrator
Source Workstation:   
Error Code:   0xc000006a
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2021-10-02T09:44:24.064686400Z" />
    <EventRecordID>288905669</EventRecordID>
    <Correlation />
    <Execution ProcessID="484" ThreadID="7628" />
    <Channel>Security</Channel>
    <Computer>(REMOVED).local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">administrator</Data>
    <Data Name="Workstation">
    </Data>
    <Data Name="Status">0xc000006a</Data>
  </EventData>
</Event>
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
arnold

Ji might be misreading,   What process has ID 484?
NAZ1000

ASKER
I didn't spot that - so all the event log messages do relate to PID 484 (unsure why TCPView colours some in yellow / red)