MonitorWare Knowledge Base

Dear Eric Fitzgerald and others who responded to audit
questions,

On many threads you have explained about event IDs 681,
529 and error code 3221225572, e.g.:

"681 is a failure event (account logon failure) in
the "Account Logon"
category of audits- it's generated when a security package
authenticates
your credentials. This occurs on the machine
authoritative for the account
being used- the local machine in the case of local
accounts ..."

This is all good, but I noticed that you MS guys never
answer main question asked by hundreds of people: is it a
security problem? Is it a hacking? Shall we worry? What
shall be done, if anything?

My problem is similar to others: on my W2k Pro workstation
I receive dozens logon failure audits per day about logon
attempts onto my machine's "default" account (does not
exist on my machine) from several workstations on our LAN,
and even from outsiders, with the event IDs 681, 529 and
error code 3221225572. It happens even over night, when
nobody is present and I am logged off. Two machines do it
much more often than others (both are Win ME). I checked
one - it is not infected. Could you please explain in
plain, user-friendly terms - what these logons mean in
terms of security? Norma or hacking attacks? Shell we do
something about it? How to stop it?

Please answer to my e-mail in addition to posting in
threads - I may miss it there.

Thank you in advance,

EAK

I have been working with Evginy offline, but I wanted to address one issue
publicly as well:

The audit log does not convey intent. That is to say, it's rare that you
can look at the log (even rarer when looking at a single event out of the
context of the log) and say "That's a hacker".

The system will record the same event when the password doesn't match,
regardless of whether it's a hacker or a bad typist at the other end of the
connection- they system can't tell the difference.

You can sometimes deduce the intent (10 thousand bad password attempts vs.
Administrator in one minute is above any reasonable retry threshold), but
sometimes not (is one bad logon attempt per hour a hacker or is it a
scheduled process with bad credentials?).

Some rules of thumb:

1) Ignore single bad password events. If it only happens once, it's
probably not worth investigating.
2) When examining logon failures, go to the workstation that is generating
the bad requests and look for something there, particularly a service.
3) Don't assume it's a hacker until you rule out everything else.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi all,
I also get 529's but not frokm someome trying to log on. It is caused by a process, service, or some such as it always happens after I start an NT system. It is a logon type 2 with the workstation name of the console. The process is Advapi and authentification package is "Microsoft_Authentification_Process_Package_V1.0.

Problem is I can find the process that triggers this. Any suggestions??

It could be from some deep system process, or maybe come from a driver. Hard to say. Could you quote the whole Event message?

I am also getting this failure audit logon/logoff the problem is that during the time this happens the computer should have been turned off. i will leave for the day the computer is off but i will return next morning and find the computer on.. i know it isn't anyone else because the office is closed i am getting this message:

Event Type: Warning
Event Source: atapi
Event Category: None
Event ID: 26
Date: 7/25/2003
Time: 5:19:50 PM
User: N/A
Computer: GOOD
Description:
The driver has detected that device \Device\Ide\IdePort0 has old or out-of-date firmware. Reduced performance may result.

after the computer is turned off. are this two problems connected to the reason the computer magically turns on i try many things to find what makes t he computer turn on so if anyone has a suggestion i will greatly appreciate it. thank you very much.

Hi,

this is no magic, this is simply a APM (ACPI) malfunction
Can you tell me how old this PC is? Does it have a ATX or AT Power supply?
If it has AT Power Supply and you are using Windows 2000, it is an APM (Advanced Power Management) related Issue. I have seen this before.

Regarding that error message, this comes from your harddisk and only tells you that the Firmware of the device is outdated. This only causes Windows to run the harddisk in slow PIO mode.

it could be not a hardware problem, or a hacking, like i read in this forum, i've just created 3 users, and in my attemps to logon, from a w98SE, it returns me the error 3221225572 like all of you, but it clearly specifies that it is a password or account problem.
Happens, that i've just created the accounts, i wrote the passwds, and it keeps giving me that error. I CANT LOGON in that DC. it doesn't happens with the old accounts... I don't know what does it implicates, and what changes have to do, (or have i done). please if any of you has the answer, please forward or send a message to: gastonbx@hotpop.com
thank you very much

please check, recheck an recheck again your domain, domain controller, computer, etc and all security options, policys, etc.
i hope that this helps any of you.
thanks again, anyway

I have the same message:
The logon acount: xxx
by:Microsoft_Authentification_Process_Package_V1.0
from workstation: xxx
failed. The error code was 3221225572.

This error occures when I use remote from the workstation (xxx) the Arcserve manager.

The Account is member of the Administration Group and I have no idee why this failure happend!

I would be happy if someone could explain me how i can stop this failure!

Hello,

About every second I get 2 logon failure events in my security log. Here they are...

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/30/2004
Time: 3:13:40 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: BOXADMIN
Domain: SERVER1
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER1


--------------------------------------------------------------------
and this one


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 1/30/2004
Time: 3:13:40 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1
Description:
The logon to account: BOXADMIN
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: SERVER1
failed. The error code was: 3221225578

--------------------------------------------------------------------------------

like I said, every second or so this happens. I am sure it is a process or app somewhere but cant figure out which one. Anyone got a clue how to figure out which process or app is causing this????

Help

I feel your pain guys. I have been researching this for months now and cannot find anything wrong with the systems. What i have narowed it down to is that this is only happening to our PC that are logged in to AD. We run a mixed enviroment AD and NDS and it looks like somekind of pooling.. If anyone finds anything out please post..

Believe it or not I get these errors (3221225572) every time a successful login occurs on an Exchange 2000 backend server. Not a SINGLE useful thing about this is in the Microsoft support database or in any discussion that I have ever seen.

SIGH.

I've been getting large ammounts of service ticket request faliures all at the same time (within a few seconds for about 60 xp clients), now none of the user accounts in my domain can log on (except administrator). On the client they get the bad username or password error, in the event log the 3221225572 (bad username or password) event appears, even though I know the password is correct. WTF is going on, this just happened all of a sudden and I'm up s**t creek.

ARRRGGGHHHHHHHHHH!

As of today, we are experiencing the exact same issue. The only difference is that the clients are W2K Pro. Adding to the fun are the event id 676 entries that show a failure code of 0x1D. That failure code is not even listed in the original Kerberos specification. If I can get approval for a Microsoft support incident, I'll post the results here tomorrow. In the meantime, if anyone has also gone through this problem and come out the other side successfully, I would **** to avoid the cost of tomorrow's support call.

Davey2004 wrote:I've been getting large ammounts of service ticket request faliures all at the same time (within a few seconds for about 60 xp clients), now none of the user accounts in my domain can log on (except administrator). On the client they get the bad username or password error, in the event log the 3221225572 (bad username or password) event appears, even though I know the password is correct. WTF is going on, this just happened all of a sudden and I'm up s**t creek.

ARRRGGGHHHHHHHHHH!

Something similar:
Every 3 seconds two records appear in security register in the PDC:

Event Id:681
Error del inicio de sesión a la cuenta: asdf
por: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
desde la estación de trabajo: PAIW2000
El código de error es: 3221225572

and

Event id: 529
Error al iniciar sesión:
Razón: Nombre de usuario desconocido o contraseña incorrecta
Nombre de usuario: asdf
Dominio:
Tipo de inicio de sesión: 3
Proceso de inicio de sesión: Advapi
Paquete de autenticación: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Nombre de estación de trabajo: PAIW2000

PAIW2000 is the PDC and username (nombre de usuario) is alternatively:

Guest
Administrator
Demo
asdf
anonymous.