RE: unknown failure audits with logon process advapi

• Previous message: Damian Jones: "Re: File/directory permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 15 Jun 2005 07:26:09 -0700

Based on the event entry, it looks like you have a program/process running
under the network service account (or local system) and is attempting to
logon using the advapi.dll LogonUser call.

I know it's been a while since you posted this, but hopefully you resolved
it. Just in case, I thought I'd point this out. I've been working on an
ASP.Net application that uses the DLL for user login via a web application.
Generally, you would want this web application running as a specific account
- not the local system or network service accounts. That way you can more
succinctly identify entries like the one you've posted.

HTH...

"mcwe_admin" wrote:

> I get many of the following failure audits in the security logs:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 5/6/2005
> Time: 8:04:53 AM
> User: NT AUTHORITY\SYSTEM
> Computer: DELL_SERVER
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User
> Name: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
> Domain: DELL_SERVER
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: DELL_SERVER
>
> I am not sure if this is a virus?
>
> Thanks for any reply.

• Previous message: Damian Jones: "Re: File/directory permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]