Event Viewer Failed Security Audit?

Hi All, my concern is about this report in Event Viewer, Security

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/30/2004
Time: 3:00:00 AM
User: NT AUTHORITY\SYSTEM
Computer: CATASTROPHY
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Bob Martin
Domain: CATASTROPHY
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: CATASTROPHY

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The event view shows 4 of these failed audits from approx 5:00 PM yesterday up to this one at 3:00 AM this morning. At 3:00, everybody in this household was sound asleep.

There are more of them dating back several weeks.

When going to the help site on this error, it gives about 6 pages of small type information that is incomprehensible to me.

Of course, my concern is that this message does not say the attempted logon was unsuccessful, just says the failure of the audit. What does all this mean and should I be concerned?

Thanks for all replies

Martin

 

martinr121,

This explanation is making an assumption......that your PC was on during this attempt.
Many years ago we had strange occurences on our Computer equipment at approximately the same time every day. One day someone noticed that the City turned on their Parking Lot lights, and at the same time someone else let a yelp that "It's back!! ". Turns out the City had somehow tied into our power source and their Electrical equipment sent spikes to our equipment disrupting our normal Computer operation. We had some serious filters on our Power supplies to eliminate excess "Noise" but this was beyond the capability of our filters. When we put an Oscilloscope on the line we saw "Spikes" of unbelievable size. We eventually had the City moved to their own Power Source, and the "Problem" ceased.
So it's just possible you may have received "spikes" of some sort in the night from the local Power Company's lines feeding your PC and they may have kicked off an event. Electrical storms may have been associated with these events too.
One could check out the power lines using an Oscilloscope, but it is not always possible since we all don't have one lying around.
Power supply filtering is the only way a PC has to eliminate these spikes or voltage surges, but it might be worth it to check into it somehow, with reference to your systems filters or your A-C power source, .
Hope this explanation makes sense.

 

In that context, Failure Audit means that an audited security event (the logon) was not successful - it failed. You would see pretty much the same for an unsuccessful attempt to access a network share and a few other similar items.

The one you posted is fairly common on XP systems with the Welcome Screen icon logon blocks. You will also frequently see it along with Event ID: 680 Failure Audit messages.

They are usually related to some checking XP does to figure out how to handle the logon icon and are pretty much meaningless since they can accompany a successful logon.

In your case with it happening at such odd times, there could be another explanation but I'm not sure right off hand what it might be. Logon Type 4 was Batch with Win2K and probably also is with XP. Possibly a scheduled task starting (or trying to start).

If you are running XP-pro try switching from the welcome screen to a classic logon and if the failure is that one, you should not see it any more.

It could be a brute-force style attack I suppose but in that case I'd expect lots and lots of them.

 

Thanks Irdreed and Newt. Well, the computer was on, I usually leave it on all the time now with the DSL line disabled when I'm not using it online. I don't know of scheduled tasks that would be trying to start especially at 3:00 AM. As I'm running XP Home I can't change the logon except to go to a password logon which I don't particularly want to do.

Newt, it is reassuring to know that the Failed Audit means the logon failed. I'll check the event viewer for the next couple of days and see if this persists and what the timing is. I hope it is not power spikes as Indreed said, I am on a UPS that supposed to prevent them.

Thanks for your replies,

Martin

 

martinr121, Good luck in your quest. I agree the UPS should(?) take care of these spikes. But as I said our multimillion dollar Computer which did have very, very expensive Filters didn't eliminate what turned out to be Lighting for a City Parking Lot, "Sharing" our Power circuits.

BTW it took our group about 3-4 months to figure out what and where the source of our problem was, but during that period of time it sure reaked havoc on our Equipment.

 

This might be what you need TRIPP-LITE LC 1800 Line Conditioner/Stabilizer as an example. If you have dirty power. An UPS will kick in and start running the battery. The line conditioner and stabilizer keeps it steady.