I have received lots of failure audits on my server. From the log, I have identified the particular machine that is the culprit. How can I identify which process is sending the login request?
Do you have any idea how to find out?
Below is the detail of the log.
Security log on \QKSRVDC212:
[2465151] Microsoft-Windows-Security-Auditing
Type: FAILURE AUDIT
Computer: QKSRVDC212.Corp.abc.com
Time: 7/26/2012 9:31:00 AM ID: 4625
An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Quality
Account Domain: QDMNT140
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: QDMNT140
Source Network Address: 10.1.1.185
Source Port: 3973
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
On the login source system 'QDMNT140' use netstat -ano | findstr 3973
to see which process has the matching source port '3973' open. Replace 3973 with whatever the port changes to if it's not static.
User contributions licensed under CC BY-SA 3.0