Windows Logon Failure Investigation

The following Event ID's indicate that a logon failed:

Event ID 529 : Unknown user name or bad password

Event ID 530 : Logon time restriction violation

Event ID 531 : Account disabled

Event ID 532 : Account expired

Event ID 533 : Workstation restriction - not allowed to logon at this computer

Event ID 534 : Inadequate rights - as in user account attempting console login to server

Event ID 535 : Password expired

Event ID 536 : NetLogon service down

Event ID 537 : unexpected error - the who knows ??? factor

Event ID 539 : Logon Failure: Account locked out

Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password

Event ID 644 : User account Locked out

You should watch for events 529, 539 and 644. Event ID 529 entries can have various "Logon Types":

2 – Interactive - A user logged on to this computer at the console.
3 - Network - A user or computer logged on to this computer from the network.
4 - Batch - Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
5 - Service - A service was started by the Service Control Manager.
7 – Unlock - This workstation was unlocked.
8 - NetworkCleartext - A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9 – NewCredentials -A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 – RemoteInteractive - A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 – CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Event ID 529 will also have a process ID that can be used to find the program that passed on the logon attempt. Use the Task Manager (ctrl+alt+delete then select Task Manager, or if logged in remotely, Start / Windows Security) to lookup the name of the process, from the "Processes" tab, select View / Select Columns and check "PID (Process Identifier)" then click ok.

With Event ID 529, Logon Type 3, and a PID that turns out to be inetinfo.exe, the error was probably caused by an attempt to log in to the server via the remote web workspace, Outlook web access, etc... The web access log may have more information including the IP address of the attacker.

With Event ID 529, Logon Type 3, and a PID that turns out to be advapi it was(apparently) an attempt to log in via SMTP and relay email ^. The SMTP service can be set to log detailed events, which will include the IP address of the attacker. +

file: /techref/os/win/logonfailure.htm, 3KB, , updated: 2008/2/25 09:11, local time: 2009/11/21 09:17, owner: JMN-EFP-786,

^{38.107.191.101:LOG IN}

©2009 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions?
Please DO link to this page! Digg it!
<A HREF="http://piclist.com/techref/os/win/logonfailure.htm"> Windows Logon Failure Investigation</A>

Did you find what you needed?

"No. I'm looking for: "
"No. Take me to the search page."
"No. Take me to the top so I can drill down by catagory"
"No. I'm willing to pay for help, please refer me to a qualified consultant"
"No. But I'm interested. me at when this page is expanded."

PICList 2009 contributors:
o List host: MIT, Site host massmind.org, Top posters @20091121 olin piclist, solarwind, Vitaliy, Tamas Rudnai, Jinx, cdb, Xiaofan Chen, Alan B. Pearce, Gerhard Fiedler, JonnyMac,
* Page Editors: James Newton, David Cary, and YOU!
* Roman Black of Black Robotics donates from sales of Linistep stepper controller kits.
* Ashley Roll of Digital Nemesis donates from sales of RCL-1 RS232 to TTL converters.
* Monthly Subscribers: Shultz Electronics, Timothy Weber, on-going support is MOST appreciated!
* Contributors: Richard Seriani, Sr.