unknown failure audits with logon process advapi

From: mcwe_admin (mcweadmin_at_discussions.microsoft.com)
Date: 05/06/05


Date: Fri, 6 May 2005 09:42:02 -0700

I get many of the following failure audits in the security logs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/6/2005
Time: 8:04:53 AM
User: NT AUTHORITY\SYSTEM
Computer: DELL_SERVER
Description:
Logon Failure:
         Reason: Unknown user name or bad password
         User
Name: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
         Domain: DELL_SERVER
         Logon Type: 2
         Logon Process: Advapi
         Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
         Workstation Name: DELL_SERVER

I am not sure if this is a virus?

Thanks for any reply.



Relevant Pages

  • Re: Failure Audits 529 & 680: How to track the IP address?
    ... I get Failure Audits from users out in ... >> - Logon failure auditing is enabled. ... >> despite the fact that the machine is using a local account. ... >> Security Event 529 Is Logged for Local User Accounts ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Failure Audits 529 & 680: How to track the IP address?
    ... I get Failure Audits from users out in the ... > - Logon failure auditing is enabled. ... > despite the fact that the machine is using a local account. ... > Security Event 529 Is Logged for Local User Accounts ...
    (microsoft.public.windowsxp.security_admin)
  • Security event id 537
    ... We have about 7,000 of these failure audits ... in our Security Log. ... Logon Failure: ... Workstation Name: ...
    (microsoft.public.windows.server.sbs)