Failure Audits 529 & 680: How to track the IP address?

Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

*** I'm not quite sure in what NS this post fits best, so I set a
followup-to: microsoft.public.security ***

I get quite a lot of 529 and 680 Failure Audits in the Security Log of the
Event Viewer. Some folks try (probably mistakenly, hopefully) to get into my
computer (yes, it's not behind a fw at the moment). So I want to track down
those Failure Audits with IP addresses of the hosts that cause them.

Does anybody know a (maybe freeware) solution to achieve something like
that? (Note: I'm talking about future events, it's clear that past ones
cannot be resolvet to IPs anymore.)

As always, any help would be much appreciated!

Cheers, Juerg

--
It's time to tune in: http://jradio.ch/
3 answers Last reply
More about failure audits track address
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Nothing to worry about. I get Event ID 529 & 680 all the time.

    [[The event occurred on Windows XP if the machine environment meets the
    following criteria:
    - The machine is a member of a domain.
    - The machine is using a machine local account.
    - Logon failure auditing is enabled.
    When the user logs off, Windows will write event ID 529 to the log file
    because the OS incorrectly tries to contact the domain controller (DC),
    despite the fact that the machine is using a local account. Microsoft
    currently doesn't provide a fix for this problem, but you can safely ignore
    this event ID.]]

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 12/27/2003
    Time: 7:49:48 AM
    User: NT AUTHORITY\SYSTEM
    Computer: MYPENTIUM450
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password

    Security Event 529 Is Logged for Local User Accounts
    http://support.microsoft.com/?kbid=811082

    Failure Events Are Logged When the Welcome Screen Is Enabled
    http://support.microsoft.com/?kbid=305822

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 12/27/2003
    Time: 7:49:48 AM
    User: NT AUTHORITY\SYSTEM
    Computer: MYPENTIUM450
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

    Explanation
    A program or service attempted to start with the logon credentials specified
    in the message, which do not match the credentials of the current user. This
    message is logged for informational purposes only.

    User Action
    No user action is required.

    Failure Events Are Logged When the Welcome Screen Is Enabled
    http://support.microsoft.com/?kbid=305822

    --
    Hope this helps. Let us know.

    Wes
    MS-MVP Windows Shell/User

    In news:OQxPtP%23hFHA.328@tk2msftngp13.phx.gbl,
    Juerg Reimann <jr@jworld.ch> hunted and pecked:
    > *** I'm not quite sure in what NS this post fits best, so I set a
    > followup-to: microsoft.public.security ***
    >
    > I get quite a lot of 529 and 680 Failure Audits in the Security Log of the
    > Event Viewer. Some folks try (probably mistakenly, hopefully) to get into
    > my computer (yes, it's not behind a fw at the moment). So I want to track
    > down those Failure Audits with IP addresses of the hosts that cause them.
    >
    > Does anybody know a (maybe freeware) solution to achieve something like
    > that? (Note: I'm talking about future events, it's clear that past ones
    > cannot be resolvet to IPs anymore.)
    >
    > As always, any help would be much appreciated!
    >
    > Cheers, Juerg
    >
    > --
    > It's time to tune in: http://jradio.ch/
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Wesley,

    Thanks for your answer. However, I get Failure Audits from users out in the
    Internet who try to get into my machine. Tons of. That's why I want to track
    IP addresses.

    Juerg

    --
    It's time to tune in: http://jradio.ch/

    "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
    news:%23HUZDV%23hFHA.3912@tk2msftngp13.phx.gbl...
    > Nothing to worry about. I get Event ID 529 & 680 all the time.
    >
    > [[The event occurred on Windows XP if the machine environment meets the
    > following criteria:
    > - The machine is a member of a domain.
    > - The machine is using a machine local account.
    > - Logon failure auditing is enabled.
    > When the user logs off, Windows will write event ID 529 to the log file
    > because the OS incorrectly tries to contact the domain controller (DC),
    > despite the fact that the machine is using a local account. Microsoft
    > currently doesn't provide a fix for this problem, but you can safely
    > ignore
    > this event ID.]]
    >
    > Event Type: Failure Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 529
    > Date: 12/27/2003
    > Time: 7:49:48 AM
    > User: NT AUTHORITY\SYSTEM
    > Computer: MYPENTIUM450
    > Description:
    > Logon Failure:
    > Reason: Unknown user name or bad password
    >
    > Security Event 529 Is Logged for Local User Accounts
    > http://support.microsoft.com/?kbid=811082
    >
    > Failure Events Are Logged When the Welcome Screen Is Enabled
    > http://support.microsoft.com/?kbid=305822
    >
    > Event Type: Failure Audit
    > Event Source: Security
    > Event Category: Account Logon
    > Event ID: 680
    > Date: 12/27/2003
    > Time: 7:49:48 AM
    > User: NT AUTHORITY\SYSTEM
    > Computer: MYPENTIUM450
    > Description:
    > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >
    > Explanation
    > A program or service attempted to start with the logon credentials
    > specified
    > in the message, which do not match the credentials of the current user.
    > This
    > message is logged for informational purposes only.
    >
    > User Action
    > No user action is required.
    >
    > Failure Events Are Logged When the Welcome Screen Is Enabled
    > http://support.microsoft.com/?kbid=305822
    >
    > --
    > Hope this helps. Let us know.
    >
    > Wes
    > MS-MVP Windows Shell/User
    >
    > In news:OQxPtP%23hFHA.328@tk2msftngp13.phx.gbl,
    > Juerg Reimann <jr@jworld.ch> hunted and pecked:
    >> *** I'm not quite sure in what NS this post fits best, so I set a
    >> followup-to: microsoft.public.security ***
    >>
    >> I get quite a lot of 529 and 680 Failure Audits in the Security Log of
    >> the
    >> Event Viewer. Some folks try (probably mistakenly, hopefully) to get into
    >> my computer (yes, it's not behind a fw at the moment). So I want to track
    >> down those Failure Audits with IP addresses of the hosts that cause them.
    >>
    >> Does anybody know a (maybe freeware) solution to achieve something like
    >> that? (Note: I'm talking about future events, it's clear that past ones
    >> cannot be resolvet to IPs anymore.)
    >>
    >> As always, any help would be much appreciated!
    >>
    >> Cheers, Juerg
    >>
    >> --
    >> It's time to tune in: http://jradio.ch/
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Turn on a Firewall or unplug the modem! You're just asking for trouble.

    Email Dossier
    Validate and investigate email addresses.
    http://www.centralops.net/co/

    --
    Hope this helps. Let us know.

    Wes
    MS-MVP Windows Shell/User

    In news:O6%23YfJ$hFHA.328@tk2msftngp13.phx.gbl,
    Juerg Reimann <jr@jworld.ch> hunted and pecked:
    > Wesley,
    >
    > Thanks for your answer. However, I get Failure Audits from users out in
    > the Internet who try to get into my machine. Tons of. That's why I want
    > to track IP addresses.
    >
    > Juerg
    >
    > --
    > It's time to tune in: http://jradio.ch/
    >
    > "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
    > news:%23HUZDV%23hFHA.3912@tk2msftngp13.phx.gbl...
    >> Nothing to worry about. I get Event ID 529 & 680 all the time.
    >>
    >> [[The event occurred on Windows XP if the machine environment meets the
    >> following criteria:
    >> - The machine is a member of a domain.
    >> - The machine is using a machine local account.
    >> - Logon failure auditing is enabled.
    >> When the user logs off, Windows will write event ID 529 to the log file
    >> because the OS incorrectly tries to contact the domain controller (DC),
    >> despite the fact that the machine is using a local account. Microsoft
    >> currently doesn't provide a fix for this problem, but you can safely
    >> ignore
    >> this event ID.]]
    >>
    >> Event Type: Failure Audit
    >> Event Source: Security
    >> Event Category: Logon/Logoff
    >> Event ID: 529
    >> Date: 12/27/2003
    >> Time: 7:49:48 AM
    >> User: NT AUTHORITY\SYSTEM
    >> Computer: MYPENTIUM450
    >> Description:
    >> Logon Failure:
    >> Reason: Unknown user name or bad password
    >>
    >> Security Event 529 Is Logged for Local User Accounts
    >> http://support.microsoft.com/?kbid=811082
    >>
    >> Failure Events Are Logged When the Welcome Screen Is Enabled
    >> http://support.microsoft.com/?kbid=305822
    >>
    >> Event Type: Failure Audit
    >> Event Source: Security
    >> Event Category: Account Logon
    >> Event ID: 680
    >> Date: 12/27/2003
    >> Time: 7:49:48 AM
    >> User: NT AUTHORITY\SYSTEM
    >> Computer: MYPENTIUM450
    >> Description:
    >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >>
    >> Explanation
    >> A program or service attempted to start with the logon credentials
    >> specified
    >> in the message, which do not match the credentials of the current user.
    >> This
    >> message is logged for informational purposes only.
    >>
    >> User Action
    >> No user action is required.
    >>
    >> Failure Events Are Logged When the Welcome Screen Is Enabled
    >> http://support.microsoft.com/?kbid=305822
    >>
    >> --
    >> Hope this helps. Let us know.
    >>
    >> Wes
    >> MS-MVP Windows Shell/User
    >>
    >> In news:OQxPtP%23hFHA.328@tk2msftngp13.phx.gbl,
    >> Juerg Reimann <jr@jworld.ch> hunted and pecked:
    >>> *** I'm not quite sure in what NS this post fits best, so I set a
    >>> followup-to: microsoft.public.security ***
    >>>
    >>> I get quite a lot of 529 and 680 Failure Audits in the Security Log of
    >>> the
    >>> Event Viewer. Some folks try (probably mistakenly, hopefully) to get
    >>> into my computer (yes, it's not behind a fw at the moment). So I want
    >>> to track down those Failure Audits with IP addresses of the hosts that
    >>> cause them.
    >>>
    >>> Does anybody know a (maybe freeware) solution to achieve something like
    >>> that? (Note: I'm talking about future events, it's clear that past ones
    >>> cannot be resolvet to IPs anymore.)
    >>>
    >>> As always, any help would be much appreciated!
    >>>
    >>> Cheers, Juerg
    >>>
    >>> --
    >>> It's time to tune in: http://jradio.ch/
Ask a new question

Read More

IP Address Security Microsoft Windows XP