RE: unknown failure audits with logon process advapi
From: MikeH (MikeH_at_discussions.microsoft.com)
Date: Wed, 15 Jun 2005 07:26:09 -0700
Based on the event entry, it looks like you have a program/process running
under the network service account (or local system) and is attempting to
logon using the advapi.dll LogonUser call.
I know it's been a while since you posted this, but hopefully you resolved
it. Just in case, I thought I'd point this out. I've been working on an
ASP.Net application that uses the DLL for user login via a web application.
Generally, you would want this web application running as a specific account
- not the local system or network service accounts. That way you can more
succinctly identify entries like the one you've posted.
> I get many of the following failure audits in the security logs:
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 5/6/2005
> Time: 8:04:53 AM
> User: NT AUTHORITY\SYSTEM
> Computer: DELL_SERVER
> Logon Failure:
> Reason: Unknown user name or bad password
> Name: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
> Domain: DELL_SERVER
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: DELL_SERVER
> I am not sure if this is a virus?
> Thanks for any reply.