Lots of FAILURE AUDIT: an account failed to log on entires in Security Log
7,394
On the login source system 'QDMNT140' use netstat -ano | findstr 3973
to see which process has the matching source port '3973' open. Replace 3973 with whatever the port changes to if it's not static.
Related videos on Youtube
Author by
Param
Updated on September 18, 2022Comments
-
Param over 1 year
I have received lots of failure audits on my server. From the log, I have identified the particular machine that is the culprit. How can I identify which process is sending the login request?
Do you have any idea how to find out?
Below is the detail of the log.
Security log on \QKSRVDC212:
[2465151] Microsoft-Windows-Security-Auditing Type: FAILURE AUDIT Computer: QKSRVDC212.Corp.abc.com Time: 7/26/2012 9:31:00 AM ID: 4625 An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Quality Account Domain: QDMNT140 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: QDMNT140 Source Network Address: 10.1.1.185 Source Port: 3973 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0