Re: event IDs 681, 529 and error code 3221225572

From: Eric Fitzgerald [MSFT] (
Date: 03/05/03

From: "Eric Fitzgerald [MSFT]" <>
Date: Tue, 4 Mar 2003 16:36:40 -0800

I have been working with Evginy offline, but I wanted to address one issue
publicly as well:

The audit log does not convey intent. That is to say, it's rare that you
can look at the log (even rarer when looking at a single event out of the
context of the log) and say "That's a hacker".

The system will record the same event when the password doesn't match,
regardless of whether it's a hacker or a bad typist at the other end of the
connection- they system can't tell the difference.

You can sometimes deduce the intent (10 thousand bad password attempts vs.
Administrator in one minute is above any reasonable retry threshold), but
sometimes not (is one bad logon attempt per hour a hacker or is it a
scheduled process with bad credentials?).

Some rules of thumb:

1) Ignore single bad password events. If it only happens once, it's
probably not worth investigating.
2) When examining logon failures, go to the workstation that is generating
the bad requests and look for something there, particularly a service.
3) Don't assume it's a hacker until you rule out everything else.


Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"EAK" <> wrote in message
> Dear Eric Fitzgerald and others who responded to audit
> questions,
> On many threads you have explained about event IDs 681,
> 529 and error code 3221225572, e.g.:
> "681 is a failure event (account logon failure) in
> the "Account Logon"
> category of audits- it's generated when a security package
> authenticates
> your credentials.  This occurs on the machine
> authoritative for the account
> being used- the local machine in the case of local
> accounts ..."
> This is all good, but I noticed that you MS guys never
> answer main question asked by hundreds of people: is it a
> security problem? Is it a hacking? Shall we worry? What
> shall be done, if anything?
> My problem is similar to others: on my W2k Pro workstation
> I receive dozens logon failure audits per day about logon
> attempts onto my machine's "default" account (does not
> exist on my machine) from several workstations on our LAN,
> and even from outsiders, with the event IDs 681, 529 and
> error code 3221225572. It happens even over night, when
> nobody is present and I am logged off. Two machines do it
> much more often than others (both are Win ME). I checked
> one  - it is not infected. Could you please explain in
> plain, user-friendly terms - what these logons mean in
> terms of security? Norma or hacking attacks? Shell we do
> something about it? How to stop it?
> Please answer to my e-mail in addition to posting in
> threads - I may miss it there.
> Thank you in advance,

Relevant Pages

  • Re: Audit: Account Logon Vs. Logon Events
    ... "Account Logon" events correspond to credential validation- when a machine ... > Determines whether to audit each instance of a user logging on, ... > unchecking Success and Failure. ...
  • Re: You are not authorized to view this page
    ... AUTHORITY\SYSTEM BAY18 "Logon Failure: ... Logon Process: Kerberos ... Caller User Name: - ...
  • Re: auditing logons - someone please clear this #@#$! up.
    ... Probably the best short explanation I have heard is that "account logon" ... domain controller that authenticates the user while "logon" events will be ... security log of the domain computer [assuming auditing of "logon" events is ...
  • Re: MSExchangeSA errors
    ... Well of course there are logon failures on the exchange server, ... > Please check if there are some Logon Failure auditing events in the ... > in the Local Computer Policy or the Default Domain Policy. ...
  • Re: MSExchangeSA errors
    ... Well of course there are logon failures on the exchange server, ... Please check if there are some Logon Failure auditing events in the ... The user has not been granted the requested logon type at this ...