Re: Logon Attempt Failed (Security Log)

From: Johnb (anonymous_at_discussions.microsoft.com)
Date: 05/24/04 

Date: Mon, 24 May 2004 12:11:25 -0700

The ERROR window displays:
Date 5/24/04 Source Security
Time ..... Category Account Logon
Type Failure Event ID: 681
User NT Authority\System
Computer S.....
Description
Logon Failure
      Reason: Unknown user name or password
      User Name: M.....
      Domain: DTN
      Logon Type: 3
      Logon Process: NtLmSsp
      Aut...Package: NTLM
Thanks,
Johnb

>-----Original Message-----
>
>>-----Original Message-----
>>What is the exact content of the failure audits that you
>get in the event
>>log?
>>--
>>Regards,
>>Adrian Grigorof
>>www.eventid.net
>>Event Log UnDump: http://www.altairtech.ca/elundump/
>>
>>"Johnb" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:1160f01c441b1$17d5f050$a301280a@phx.gbl...
>>> I need help.
>>> About 4 to 5 'Failed logon attempts' a day have been
>>> logged on my computer for the last three weeks. The
>event
>>> identifies the workstation within our LAN that is
>>> attempting the logon. However, the event is logged
even
>>> when that person is not present. I suspect a virus of
>>> some kind but regular weekly scans have not detected
>any.
>>> I have kept the virus files (Norton) updated on a daily
>>> basis.
>>> How do I identify what is causing the logon attempts
and
>>> more importantly, how do I correct it.
>>>
>>>
>>
>>
>>.
>>The windows displays:
>Date 5/24/04 Source Security
>Time ..... Category Account Logon
>Type Failure Event ID: 681
>User NT Authority\System
>Computer S.....
>Description
>Logon Failure
> Reason: Unknown user name or password
> User Name: M.....
> Domain: DTN
> Logon Type: 3
> Logon Process: NtLmSsp
> Aut...Package: NTLM
>
>.
>

Relevant Pages

  • Re: Audit: Account Logon Vs. Logon Events
    ... "Account Logon" events correspond to credential validation- when a machine ... > Determines whether to audit each instance of a user logging on, ... > unchecking Success and Failure. ...
    (microsoft.public.win2000.security)
  • Re: auditing logons - someone please clear this #@#$! up.
    ... Probably the best short explanation I have heard is that "account logon" ... domain controller that authenticates the user while "logon" events will be ... security log of the domain computer [assuming auditing of "logon" events is ...
    (microsoft.public.win2000.security)
  • Re: auditing logons - someone please clear this #@#$! up.
    ... > Probably the best short explanation I have heard is that "account logon" ... > "logon" events are created where the account is used. ... > domain controller that authenticates the user while "logon" events will be ... > security log of a domain controller that is usually showing not that the ...
    (microsoft.public.win2000.security)
  • Re: event IDs 681, 529 and error code 3221225572
    ... context of the log) and say "That's a hacker". ... When examining logon failures, go to the workstation that is generating ... > the "Account Logon" ... > I receive dozens logon failure audits per day about logon ...
    (microsoft.public.win2000.security)
  • Re: Question About Auditing
    ... (wink, wink, hint, hint, clue, clue) ... >> log onto the network from a server or workstation it is a loggon, ... >> you log at a DC it is a Account logon. ...
    (microsoft.public.cert.exam.mcse)