The following Event ID's indicate that a logon failed:
You should watch for events 529, 539 and 644.
Event ID 529 entries can have various "Logon Types":
+
Event ID 529 will also have a process ID that can be used to find the program that passed on the logon attempt. Use the Task Manager (ctrl+alt+delete then select Task Manager, or if logged in remotely, Start / Windows Security) to lookup the name of the process, from the "Processes" tab, select View / Select Columns and check "PID (Process Identifier)" then click ok.
With Event ID 529, Logon Type 3, and a PID that turns out to be inetinfo.exe, the error was probably caused by an attempt to log in to the server via the remote web workspace, Outlook web access, etc... The web access log may have more information including the IP address of the attacker.
With Event ID 529, Logon Type 3, and a PID that turns out to be advapi it was(apparently) an attempt to log in via SMTP and relay email^. The SMTP service can be set to log detailed events, which will include the IP address of the attacker.
+
file: /Techref/os/win/logonfailure.htm, 3KB, , updated: 2008/2/25 09:11, local time: 2024/12/24 21:53,
owner: JMN-EFP-786,
3.140.188.195:LOG IN
|
©2024 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions? <A HREF="http://linistepper.com/techref/os/win/logonfailure.htm"> Windows Logon Failure Investigation</A> |
Did you find what you needed? |