Worrying Security Event

D

David

Upon checking the WinXP Home Event viewer I've noticed a worrying event that
says:

Logon Failure:
Reason: Unknown user name or bad password
User Name: David
Domain: SPOT1
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: SPOT1

Directly after this is another one which states:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: David
Source Workstation: SPOT1
Error Code: 0xC000006A

Now I only have a single User(Administrator): David. (that's me) on this PC
and I log on without fail every time.
So my question is: What does this mean?
 
J

JPG

I had similar concerns a while back until I discovered the following at
http://forums.devhardware.com/archive/t-1720/WinXP-Tips
which states:
From TechRepublic:

Welcome Screen: Don't confuse logons with hack attempts

If you use Windows XP's Welcome Screen and keep track of logon attempts,
you'll notice several unexpected logons in the Security node, which is
located in the Event Viewer snap-in.

Here's an example:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: xxxxxxx
Source Workstation: xxxxxxxx
Error Code: 0xC000006A
Logon Failure:
Reason: Unknown user name or bad password
User Name: xxxxxxxxx
Domain: xxxxxxxxxxx
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: xxxxxxxxxxx

This is a Welcome Screen feature, not someone trying to hack your machine.
When the computer boots and the Welcome Screen displays for the first time,
XP tries to log on to each user account that appears on the screen with a
blank password, and then it caches the results.

If the account has a blank password, the logon succeeds and no error is
logged. If the user has a password, an error is logged and the user is
prompted to type in his or her password after clicking the user icon to log
on to the system.

So don't worry about it; it quite normal
 
W

Wesley Vogel

Nothing to worry about. I get Event ID 529 & 680 all the time.

[[The event occurred on Windows XP if the machine environment meets the
following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log file
because the OS incorrectly tries to contact the domain controller (DC),
despite the fact that the machine is using a local account. Microsoft
currently doesn't provide a fix for this problem, but you can safely ignore
this event ID.]]

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/27/2003
Time: 7:49:48 AM
User: NT AUTHORITY\SYSTEM
Computer: MYPENTIUM450
Description:
Logon Failure:
Reason: Unknown user name or bad password

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/27/2003
Time: 7:49:48 AM
User: NT AUTHORITY\SYSTEM
Computer: MYPENTIUM450
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Explanation
A program or service attempted to start with the logon credentials specified
in the message, which do not match the credentials of the current user. This
message is logged for informational purposes only.

User Action
No user action is required.

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
P

Pop

JPG wrote:
....
Here's an example:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: xxxxxxx
Source Workstation: xxxxxxxx
Error Code: 0xC000006A
Logon Failure:
Reason: Unknown user name or bad password
User Name: xxxxxxxxx
Domain: xxxxxxxxxxx
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: xxxxxxxxxxx

This is a Welcome Screen feature, not someone trying to hack your
machine. When the computer boots and the Welcome Screen displays for
the first time, XP tries to log on to each user account that appears
on the screen with a blank password, and then it caches the results.

If the account has a blank password, the logon succeeds and no error
is logged. If the user has a password, an error is logged and the
user is prompted to type in his or her password after clicking the
user icon to log on to the system.

So don't worry about it; it quite normal
Click to expand...
....
Thanks, JPG; I had just about figured it out that way but it's pretty hard
to do empirically. There are more than a few things like that in windows,
and I sometimes enjoy myself by chasing the ones I'm sure aren't a problem
but are indicated as one. With all the code in windows, you'd think they
could have afforded an IF xxxx then "normal" kind of tag for those instead
of error type messages. Then there's all the Medium impact errors; which
almost never are. So far (knock on wood). I'm no guru, I just like poking
around inside it where I can do so safely. I haven't run out of
opportunities yet!

It's too bad so few people write code in lower level languages anymore:
small wonder embedded code engineers get such a premium wage.

Pop
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event Viewer - Security - Reports "Failure Audit" 2
Failed Logon Events [Event ID 4625; Logon Type 8; Procss Name: w3wp; Process: Advapi] 1
Please help me in resolving the logon type 2 1
Mac OS X cannot connect to Win2003 SFM shares 2
Event Viewer Failure Audit messages under Security 3
keep getting Event Viewer errors 529,680 2
Who's trying to logon? 3
Failure Audit Error in logon?? 1

Top