Who's trying to logon?

T

Tumurbaatar S.

I found below logs in my WinXP's Event Log. And wonder
either someone tried to logon locally thru keyboard or some
program failed to impersonate? Or some remote one?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: MYPC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrator
Source Workstation: MYPC
Error Code: 0xC0000064

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: MYPC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: MYPC
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: MYPC
 
S

Shenan Stanley

Tumurbaatar said:
I found below logs in my WinXP's Event Log. And wonder
either someone tried to logon locally thru keyboard or some
program failed to impersonate? Or some remote one?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: MYPC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrator
Source Workstation: MYPC
Error Code: 0xC0000064

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: MYPC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: MYPC
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: MYPC

Using a firewall?
 
T

Tumurbaatar S.

Yes, I've activated SP2's firewall.

Shenan Stanley said:
Using a firewall?

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
 
W

Wesley Vogel

Nothing to worry about. I get Event ID 529 & 680 all the time.

[[The event occurred on Windows XP if the machine environment meets the
following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log file
because
the OS incorrectly tries to contact the domain controller (DC), despite the
fact that the machine is using a local account. Microsoft currently doesn't
provide a fix for this problem, but you can safely ignore this event ID.]]

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top