RE: Security Event 529...please help....

---

• From: RichardF <RichardF@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 13 May 2006 09:38:01 -0700

---

Has anyone found a fix for this yet?
I have a lab computer with SBS 2003 standard SP1 and all current patches. I
powered down the computer a couple of months ago and recently started it back
up for another project. After applying the current patches I started having
this same problem soon after.

From the server report:

Source Event ID Last Occurrence Total Occurrences
Security 529 5/13/2006 5:45 AM 2,049 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: SBS1$
Domain: FRYSNETSERVICES
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SBS1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

I receive about 2100 entries a day. I only have one workstation on the
network and it is rarely turned on.

Thanks for any help.


"Art Vandalay" wrote:

Brand new SBS 2003 Server setup with SBS 2003 SP1, Exchange 2003
Server SP2, and all the latest patches from Microsoft Update site is
producing the following event in the Security Event Log:

Source : Security
Category : Logon/Logoff
Event ID : 529
Logon failure
Reason : Unknown user name or bad password
Username : SERVER1$
Domain : SYS3
Logon Type : 3
Logon Process : NtLmSsp
Authentication Package : NTLM
Workstation Name : SERVER1
Caller User Name : -
Caller Domain : -
Caller Logon ID : -
Caller Process ID : -
Transited Services : -
Source Network Address : -
Source Port : -

I've isolated the PIDs producing the event to the following processes:

inetinfo.exe
store.exe
wmiprvse.exe

As always, any help is greatly appreciated....

.

---

• Follow-Ups:
  • Re: Security Event 529...please help....
    • From: cjobes

• Prev by Date: SBS R2 - whats the big deal?
• Next by Date: Re: Remove Exchange logs after N days
• Previous by thread: SBS R2 - whats the big deal?
• Next by thread: Re: Security Event 529...please help....
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Logon 529 Errors ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ... Caller Domain: DELLNET ... (microsoft.public.windows.server.sbs) Re: Security Event ID: 529 ... Logon Failure: ... Caller User Name: SERVER$ ... Caller Domain: DOMAIN ... (microsoft.public.windows.server.sbs) EventId: 529 - hacking attempt ... indication if it was internal (from an infected workstation) or external? ... Logon Failure: ... Caller User Name: SERVER$ ... Caller Domain: ... (microsoft.public.windows.server.sbs) Security Event ID: 529 ... Logon Failure: ... Caller User Name: SERVER$ ... Caller Domain: DOMAIN ... (microsoft.public.windows.server.sbs) Re: KDC Event ID 7 and Wins startup errors. ... Event Type: Information ... Event Source: USER32 ... Logon Failure: ... Caller User Name: $ ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-05