S
Stephen Walker
I have a puzzle with one of my machines.
This PC has been having trouble with the security event log getting full,
and I've had to increase it to 8Mb just to cope.
I am getting these events logged at a rate of about 6 every two minutes:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09/12/2004
Time: 11:01:35
User: NT AUTHORITY\SYSTEM
Computer: STEVEW
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
With no username, domain or workstation name it is hard to track what is
causing these errors.
I have tried scanning for viruses/malware, shutting down every process and
service I can think of, even logging the machine off, but the events
continue to be logged. A packet capture shows that the PC is chatting to a
domain controller at the time that the events are logged, but I can't see
why this keeps happening.
This is an XP SP2 machine on a small domain.
Has anyone else seen this type of behaviour or have any ideas to
troubleshoot it?
Stephen
This PC has been having trouble with the security event log getting full,
and I've had to increase it to 8Mb just to cope.
I am getting these events logged at a rate of about 6 every two minutes:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09/12/2004
Time: 11:01:35
User: NT AUTHORITY\SYSTEM
Computer: STEVEW
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
With no username, domain or workstation name it is hard to track what is
causing these errors.
I have tried scanning for viruses/malware, shutting down every process and
service I can think of, even logging the machine off, but the events
continue to be logged. A packet capture shows that the PC is chatting to a
domain controller at the time that the events are logged, but I can't see
why this keeps happening.
This is an XP SP2 machine on a small domain.
Has anyone else seen this type of behaviour or have any ideas to
troubleshoot it?
Stephen