RE: Logon audit

In this case 680 is an NTLM v1 Logon failure, the status code from
ntstatus.h on an XP Pro box indicates-

# for hex 0xc000006e / decimal -1073741714 :
# Indicates a referenced user name and authentication
# information are valid, but some user account restriction
# has prevented successful authentication (such as
# time-of-day restrictions).

This can also be caused by user right (or privilege) restrictions IIRC,
such as a user trying to logon locally (or over the network) that does
not have that right or has it denied, "Access this computer from the
network" right is denied, that kind of thing.


-----Original Message-----
From: nemanja.janic@xxxxxxxxx [mailto:nemanja.janic@xxxxxxxxx]
Sent: Friday, June 09, 2006 12:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Logon audit

Hello list,

i need some help with interpreting what i see. I have Logon Failure
Audit turned on on several machines in my system (all Win XP pro), and i
keep getting this:



Logon account: <username>

Source Workstation: <stationname>

Error Code: 0xC000006E

Type stated is Failure Audit, Event ID is 680.


Username and workstation vary from machine to machine.

Now my question is, what is that Event ID680? I am sure that no users
are trying to logon to mentioned machines, and that there is no
shared-folder accessing going on. I tried to find answers all over the
web, but to no avail as of yet.

Is is a worm/virus of some sort? Or another win intricacy?