RE: Logon audit

---

• From: Gene Laisne <glaisne@xxxxxx>
• Date: Fri, 9 Jun 2006 10:19:37 -0400

---

Hi,

The 680 ID is a successful authentication using NTLM.

Here are some useful links:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monito
r/logevnts.mspx
http://www.windowsecurity.com/pages/article_p.asp?id=1363
http://www.ultimatewindowssecurity.com/encyclopedia.html

--Gene

-----Original Message-----
From: nemanja.janic@xxxxxxxxx [mailto:nemanja.janic@xxxxxxxxx]
Sent: Friday, June 09, 2006 3:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Logon audit

Hello list,
i need some help with interpreting what i see. I have Logon Failure Audit
turned on on several machines in my system (all Win XP pro), and i keep
getting this:
"
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: <username>
Source Workstation: <stationname>
Error Code: 0xC000006E

Type stated is Failure Audit, Event ID is 680.
"

Username and workstation vary from machine to machine.

Now my question is, what is that Event ID680? I am sure that no users are
trying to logon to mentioned machines, and that there is no shared-folder
accessing going on. I tried to find answers all over the web, but to no
avail as of yet.
Is is a worm/virus of some sort? Or another win intricacy?

--------------------------------------------------------------------------
-
--------------------------------------------------------------------------
-

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---

• References:
  • Logon audit
    • From: nemanja . janic

• Prev by Date: Logon audit
• Next by Date: Logon audit
• Previous by thread: Logon audit
• Next by thread: Re: Logon audit
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Benutzerkonten oft gesperrt !!! ... Wie heißt auf deutsch "account logon events" und "logon events"? ... Configuring Audit Policy ... you don't use User Manager to enable auditing in Win2K. ... (microsoft.public.de.german.win2000.active_directory) RE: find on which computer is connected a user ... i dones'nt want if possible to enable Audit Logon Events ... You may try to enable the policy "Audit Logon Events" and then audit the ... Limit concurrent connections per user. ... (microsoft.public.windows.server.general) RE: find on which computer is connected a user ... You may try to enable the policy "Audit Logon Events" and then audit the ... Write events to the event log of a specified server concerning the status ... (microsoft.public.windows.server.general) Re: Event viewer- security log ... If you configure an audit policy to audit successful logon and logoff ... Successful Network Logon ... I looked at it and it look like it is recording everybody ... (microsoft.public.windowsxp.security_admin) RE: how can I see when the last time it was when a computer loged on ... You can try to enable the policy "Audit logon events" and then we can audit ... Events->Select Success and Failure. ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2006-06