W2k pro: failed login attempt is performed automatically upon start-up (how to stop?)

[Joe]

This is a new install of w2k pro. The behavior being experienced
started happening after installing some additional components from the
office and w2k option packs (IIS, etc).

Behavior: Upon startup, a logon window appears with "user name:
administrator" and "password: ******* " appearing in the window. A
message window quickly appears over the logon window stating "The
system could not log you on. Make sure your user namd and domain are
correct, then type your password again." [ok]

After clicking [ok], the message window disappears, and the logon
window becomes the active window. The "*******" appearing after
"Password:" dissappears, replaced with a blinking cursor. I then hit
return, and the logon resumes normally.

Under "Users and Passwords" the box "Users must enter a user name and
password to use this computer" is NOT checked. During W2K
installation no password was entered during any login attempt.

Event Log (security) shows 2 failure events followed by a Successful
event. The two failed events are (in order they occurred):

1) Catagory: Account Logon
Event ID: 681
User: NT Authority\System
Description: The Logon to account: Administrator by:
Microsoft_authentication_package_v1_0 from workstation
(name) failed. The error code was 3221225578

2) Catagory: Logon/Logoff
Event ID: 529
User: NT Authority\system
Description: Logon Failure.
Reason: Unknown user name or bad password
User Name: Administrator
Domain: (name)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name (name)


I have disabled many services (one or two at a time) to see if I could
localize the service causing these errors. I am down to about 20
running processes, and the above errors persist.

What service or application or setting is mis-configured during system
startup that could be causing this behavior? What exactly can I do to
determine the cause of this behavior?

Thanks for any tips.

 

[Pegasus \(MVP\)]

I would do this:

- Immediately create a second admin account, with a password.

- Under "Users and Passwords", check the box "Users must
enter a user name and password to use this computer".

- Check all my startup tasks. These links may help:
AutoRuns from http://www.sysinternals.com
StartupCPL: http://www.mlin.net/StartupCPL.shtml

- Scan the PC for viruses on www.antivirus.com.

 

[John Thow]

This is a new install of w2k pro. The behavior being experienced
started happening after installing some additional components from the
office and w2k option packs (IIS, etc).

Behavior: Upon startup, a logon window appears with "user name:
administrator" and "password: ******* " appearing in the window. A
message window quickly appears over the logon window stating "The
system could not log you on. Make sure your user namd and domain are
correct, then type your password again." [ok]
[Snip]

Thanks for any tips.

Hi,

JSI have instructions on registry edits to _enable_ autologon. See:-

http://www.jsiinc.com/reghack.htm#Tip Index

Tips 0004 & 3448.

These will point you at the registry values that enable autologon. In your
case, setting numeric vaues to 0 (zero) if they are set to 1 should stop the
autologon attempts.

HTH

--
John Thow
an optimist is a guy/ that has never had/ much experience -
certain maxims of archie; Don Marquis.

To e-mail me, replace the DOTs in the Reply-To: address with dots!

 

[Joe]

Some additional information:

Again, the logon-failure behavior first happened after the
installation and updating (where applicable via microsoft) of office
2k premium, front page with server extensions, IIS and IIS resource
kit, Office 2k resource kit, and other office items (add-ins) found on
officeupdate.microsoft.com.

Basically I was going nuts and installing anything that looked
interesting or usefull (the source of which is MSDN CD's).

The first time this behavior occurred, the system did not accept a
blank admin password. In fact, I could not log-on after multiple
failed attempts using likely password candidates. I resorted to the
method (and software) found on this web page:

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

and I reset all passwords using "*" method (resetting the admin
password with a simple password did not work - or did not take
properly).

After resetting the password as described above I was able to log-on
but the initial failed auto-logon attempt continues.

There is either zero or practically zero chance that a virus or trojan
is responsible for this because (1) the computer has only transiently
been connected to the internet during this software installation
process and (2) it is connected behind a residential gateway/router
which acts like a fire-wall and (3) Outlook has never been active or
configured on this computer and (4) IE has seen limited browsing use
(microsoft.com only prior to this problem) and (5) Norton NAV was
installed, updated, and running prior to the problem occurring.

I would do this:

- Immediately create a second admin account, with a password.

- Under "Users and Passwords", check the box "Users must
enter a user name and password to use this computer".

- Check all my startup tasks. These links may help:
AutoRuns from http://www.sysinternals.com
StartupCPL: http://www.mlin.net/StartupCPL.shtml

- Scan the PC for viruses on www.antivirus.com.

This is a new install of w2k pro. The behavior being experienced
started happening after installing some additional components from the
office and w2k option packs (IIS, etc).

Behavior: Upon startup, a logon window appears with "user name:
administrator" and "password: ******* " appearing in the window. A
message window quickly appears over the logon window stating "The
system could not log you on. Make sure your user namd and domain are
correct, then type your password again." [ok]

After clicking [ok], the message window disappears, and the logon
window becomes the active window. The "*******" appearing after
"Password:" dissappears, replaced with a blinking cursor. I then hit
return, and the logon resumes normally.

Under "Users and Passwords" the box "Users must enter a user name and
password to use this computer" is NOT checked. During W2K
installation no password was entered during any login attempt.

Event Log (security) shows 2 failure events followed by a Successful
event. The two failed events are (in order they occurred):

1) Catagory: Account Logon
Event ID: 681
User: NT Authority\System
Description: The Logon to account: Administrator by:
Microsoft_authentication_package_v1_0 from workstation
(name) failed. The error code was 3221225578

2) Catagory: Logon/Logoff
Event ID: 529
User: NT Authority\system
Description: Logon Failure.
Reason: Unknown user name or bad password
User Name: Administrator
Domain: (name)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name (name)


I have disabled many services (one or two at a time) to see if I could
localize the service causing these errors. I am down to about 20
running processes, and the above errors persist.

What service or application or setting is mis-configured during system
startup that could be causing this behavior? What exactly can I do to
determine the cause of this behavior?

Thanks for any tips.

 

[Pegasus \(MVP\)]

It appears that your installation is compromised. Seeing that it
is a new installation, I recommend that you re-install Win2000,
making sure that it goes into a different folder, e.g. d:\Win2000.

I hear what you say about your PC being virus free but I don't
necessarily accept it. Have a look at the item "Programs won't open",
posted in this newsgroup just two days ago. The poster was prepared
to swear that his machine was virus free, yet it turned out that he
had some 300 infected files.