Re: Event 12294 SAM error

Thanks for the suggestion, I'll give Process Explorer a try.

The reason I'm also rather sure it isn't a virus is the virus they post on
that causes this behavior only effect Windows 2k (from all the articles
linked/searched).

Also haven't exactly tracked down all the users that generate the event. I
managed to duplicate the event when I try signing on with no password/wrong
password, hence leading me to think thats the problem (as the Webserver lets
internal/external users into our Intranet site).

"Adrian Grigorof" wrote:

Did the users actually try to login with the wrong password and generated
this event? You also mentioned that the system was checked with Symantec
Antivirus, using the latest virus patterns. Please note that in itself, that
doesn't mean there is no virus - maybe the av did not detected. From my
experience, even with the latest updates, sometimes an antivirus may fail to
detect a virus. Try to run Process Explorer (from www.sysinternals.com) and
see if there is any strange process running on that machine.

--
Adrian Grigorof
www.eventid.net


"Speaker Ender" <SpeakerEnder@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B340BD1C-862D-4C23-97AD-9D941B6A8FD5@xxxxxxxxxxxxxxxx
Yeah the error code was not much help.

It is different usernames, and it took a while to track down that it was
coming from the webserver and not a specific workstation.

There is nothing else that appears related in any of the logs. No errors
in
the File Replication Service log, nothing in Directory Services or any of
the
other logs.

Looking in the log and analyzing it with NLParse and there are no accounts
with current password is not correct.

I checked the link, I've seen it before, and finally hunted down his part
III, the problem seems to be different though, as none of the services on
the
webserver use regular user accounts. I'm almost thinking it is something
with IIS and how its authenticating the users (i.e. when it fails the
third
time it should tell the DCs to lock the account, but doesn't).

"Adrian Grigorof" wrote:

Well, the error code means "DS (Directory Services) is busy" - not much
help
there. How about the user name - is it the same all the time? Is the
webserver a domain controller? Any other relevant events in the log?
Also,
take a look at this page:
http://www.eksternkompetanse.no/blog/PermaLink,guid,576846a0-ac14-47d4-8057-c117a9e2ec1c.aspx

--
Adrian Grigorof
www.eventid.net





.

Relevant Pages

  • Re: Event 12294 SAM error
    ... can happen on Windows 2003. ... with the fact that you allow external users to login to that webserver. ... The reason I'm also rather sure it isn't a virus is the virus they post on ... "Adrian Grigorof" wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: HELP, Hacked with machine account
    ... First run a virus scan and trojan scan [SwatIt is a free download] program with ... including Autoruns, TCPView, and Process Explorer. ... > I was hacked by a person usering a machine$ account and nt authority. ...
    (microsoft.public.win2000.security)
  • Re: PC Slow and runs at 100% cpu
    ... For further information about Process Explorer see he ... DarrylJS wrote:- ... I have a similar problem CPU usage at 80%+ disk continually being ... above, run full virus and spyware checks, latest MS Malicious ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Expert needed, TCP DUMP INSIDE, HELP!!!!!
    ... Kind of had a hunch i had a virus when before connecting ot ameritrade ... (kind of obvious whats going on in the script) ... Oh and Thank you for telling be about process explorer and active ...
    (comp.security.firewalls)
  • Re: PC Slow and runs at 100% cpu
    ... For further information about Process Explorer see here: ... To trace the particular Service involved you need to turn off each service in turn and then restore it noting what effect it has on CPU usage. ... DarrylJS wrote: ... above, run full virus and spyware checks, latest MS Malicious ...
    (microsoft.public.windowsxp.perform_maintain)