Event Viewer Security Report

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

DDALE32

Thread Starter
Joined
Feb 5, 2002
Messages
214
I am using MAILWASHER PRO. It was set to check mail every 1 minute. I'm not sure that this has anything to do with the report I get in EVENT VIEWER/SECURITY but it shows AUDIT FAILURE every 30 seconds. It only has records for two days. When I click on one of the failures and follow through this is what I get:


Details
Product: Windows Operating System
ID: 529
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_UNKNOWN_USER_OR_PWD
Message: Logon Failure:
Reason: Unknown user name or bad password
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6

Explanation
This event record indicates an attempt to log on using an unknown user account or a valid user account but with an incorrect password. An unexpected increase in the number of these audits could represent an attempt by someone to find user accounts and passwords (such as a "dictionary" attack, in which a list of words is used by a program to attempt entry).


User Action
The person with administrative rights for the computer should establish a threshold limit for attempted log ons. Attempts in excess of the limit should be investigated as a possible attempt to break into the computer.



--------------------------------------------------------------------------------

Related Knowledge Base articles
You can find additional information on this topic in the following Microsoft Knowledge Base articles:
• Post a Question to the Microsoft Windows XP Newsgroups
Ask your question to Microsoft Most Valuable Professionals (MVPs) and others who use Microsoft Windows XP. You can also search for your answer in existing posts.
• Windows XP Support Center
Visit the Windows XP Support Center for links to common questions and answers, instructions, the latest downloads, and more.
• Security Event 529 Is Logged for Local User Accounts
When a local user on a Windows XP Professional-based member computer logs off, two logon failure events are recorded: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: date Time: time User: NT...
• Failure Events Are Logged When the Welcome Screen Is Enabled
With the welcome screen and logon/logoff and/or account logon success and failure auditing are enabled, pairs of Logon/Logoff failure or Account Logon failure audits with successful logon audit entries are added to the computer security log.
**********************************************

Can this be caused by MAIL WASHER? Or is it an indication that someone on the internet is attempting to break in?

OR ... what is it?

Thanks for the great help in the past and anticipated again.

dd
 
Joined
May 17, 1999
Messages
1,052
I don't know how Mail Washer works, but if you disable the program and the events continue, then it is not the program. Just the first thing I would try to track down the culprit. Then you could try disconnecting from the internet for a period and see if the events continue. That won't rule out a trojan program that has be loaded locally, but it won't be able to transmit any successes. The %x that is the user and domain, etc. seem to be parameter variables such as used in batch files where %1 is the first parameter and %2 is the second and so on. You may want to look in the registry under the run key (HKLM\Software\Microsoft\windows\Current version\run in w2k) to see if there are any entries you don't recognize, expecially batch files or .vbs files.

Hope this helps!
 

DDALE32

Thread Starter
Joined
Feb 5, 2002
Messages
214
I turned off, shut down, MAIL WASHER. I also turned off OUTLOOK EXPRESS that was checking for mail every 30 minutes. I don't know of anything else that would be popping up on a regular basis. The "FAILURE" was happening every 30 seconds on the button.

:confused:
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top