How to track which process is failing logons?

windows login audit vmware-vcenter
5,881

Solution 1

It was an old agent for a monitoring program (not used anymore).

How I found it:

  • Guessed it was opening connections to Virtual Center (TCP port 443), trying to authenticate, failing, closing connections.
  • Used NETSTAT to look for connections in closing state after the event log entry appeared.
  • Found process ID.
  • Found process.
  • Stopped service, events stopped.

The program's log confirmed it was always failing logons.

Uninstalled succesfully (it was not used anymore), problem solved :-)

Solution 2

I would try using procmon and filtering on the userid. That should turn up anything that is sporadically running as that user.

Share:
5,881

Related videos on Youtube

Massimo
Author by

Massimo

"Against stupidity, the Gods themselves fight in vain." https://www.linkedin.com/in/massimo-pascucci

Updated on September 17, 2022

Comments

  • Massimo
    Massimo almost 2 years

    Windows Server 2003, VMWare VirtualCenter 2.5.

    Something is continuously trying to log on to VirtualCenter using a disabled domain account; the failed logon attempts are logged by VirtualCenter in its own logs and by Windows in the Security event log. This happens roughly every minute or two. The source of the logon attempts is 127.0.0.1, so it must be some process running on the server itself.

    There are no services running as this user account and no scheduled jobs on the system. The task manager doesn't show any process running under this account, either.

    The user account's name is nowhere to be found in the Registry.

    But some process is trying to use it, and failing. It probably is not some critical process, as everything seems to be working fine, apart from those log entries; it could just be something that was installed long ago and forgotten there.

    Whatever it is, it probably is running under another user account (possibly a system one), but is actively trying to log on to VC using those credentials, which are probably saved in some configuration file, since they're not stored in the Registry.

    How can I track which process is trying (and failing) those logon attempts, either by auditing Windows or VirtualCenter?

    • Helvick
      Helvick about 14 years
      Are there any additional vCenter modules installed that might have user accounts associated with them but stored in a database? Any third party stuff in particular?
    • Massimo
      Massimo about 14 years
      Yes, there are: Update Manager, Converter, Backup, License Managere... there's a full-blown VirtualCenter configuration on that server. But everything is working fine, and it wouldn't if it couldn't login...
  • Massimo
    Massimo about 14 years
    The process will not run as that user, because the user account can't be used to log in at all (it has been deleted). Whatever it is that's doing this, is running as something else, but is trying to log in to Virtual Center using that user account.
  • MattB
    MattB about 14 years
    @Massimo: then my next step would probably be to use a utility like Astrogrep to see if I can find a configuration file with the username in it. astrogrep.sourceforge.net
  • Massimo
    Massimo about 14 years
    Ok, this looks nice... I'll give it a try :-)
  • Massimo
    Massimo about 14 years
    It was really good. Didn't help because the login info were saved in a binary file, though.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

One Windows account, multiple computers logged in
Unable to connect to windows shares without restart
Windows 10 Logon Script Execution location
Automatically Connect to OpenVPN Server on Boot
What dimensions is the log in screen image for Windows
EgisTec Fingerprint Scanner Won't Work with Win 7
Is it possible to require a TOTP on Windows Login using existing or custom software?
"Access denied" when logging to Solaris virtual machine using ssh
Auto/Automated login after Wake On Lan
How to tell which service or task caused a certain 4624 logon event?