RE: unknown failure audits with logon process advapi

From: MikeH (MikeH_at_discussions.microsoft.com)
Date: 06/15/05

  • Next message: UnderAttack?: "Messager Service Pop-up Dialogs"
    Date: Wed, 15 Jun 2005 07:26:09 -0700
    
    

    Based on the event entry, it looks like you have a program/process running
    under the network service account (or local system) and is attempting to
    logon using the advapi.dll LogonUser call.

    I know it's been a while since you posted this, but hopefully you resolved
    it. Just in case, I thought I'd point this out. I've been working on an
    ASP.Net application that uses the DLL for user login via a web application.
    Generally, you would want this web application running as a specific account
    - not the local system or network service accounts. That way you can more
    succinctly identify entries like the one you've posted.

    HTH...

    "mcwe_admin" wrote:

    > I get many of the following failure audits in the security logs:
    >
    > Event Type: Failure Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 529
    > Date: 5/6/2005
    > Time: 8:04:53 AM
    > User: NT AUTHORITY\SYSTEM
    > Computer: DELL_SERVER
    > Description:
    > Logon Failure:
    > Reason: Unknown user name or bad password
    > User
    > Name: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
    > Domain: DELL_SERVER
    > Logon Type: 2
    > Logon Process: Advapi
    > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > Workstation Name: DELL_SERVER
    >
    > I am not sure if this is a virus?
    >
    > Thanks for any reply.


  • Next message: UnderAttack?: "Messager Service Pop-up Dialogs"