Home > Ask the Windows Security Experts > Windows Security Threats Questions & Answers > How to solve Windows security log mysteries
Ask The Windows Security Expert: Questions & Answers
EMAIL THIS

How to solve Windows security log mysteries

Kevin Beaver EXPERT RESPONSE FROM: Kevin Beaver

Pose a Question
Other Windows Security Categories
Meet all Windows Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 13 November 2007
I see the following in the Windows security log of an XP system.

Event ID: 529
Logon Failure
Reason: Unknown user name or bad password.
User Name: 1A
Domain: Joejj21~Bcd
Logon Type: 2
logon Process:
Authentication Package: Negotiate
Workstation Name: XPSystem

It appears to me that the domain user is logging on to this system and typing the password together with the username.

I am puzzled as to why I would see "Joejj21~Bcd" in the Domain field instead of our domain name. Is someone trying to access another domain or is this a bug in Microsoft?

I also see Event ID 537 with the same User Name: 1A and Domain: Joejj21~Bcd when Event ID 529 occurred in the security log.


>
EXPERT RESPONSE
With something this odd, the first thing I'd do is scan the system for malware (viruses, spyware and rootkits). After that, you could look at the computer configuration (System/Computer Name) to ensure everything is set properly. Also, try searching the registry (via regedit) for the Joejj21~Bcd string to see if it's stored in any of the keys.

Sound Off! -   Be the first to post a message to Sound Off!


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Windows Security Threats
How can I use Process Explorer as a Web security tool?
How did a rootkit get on my Windows machine?
Have I experienced a Windows security breach?
Password security in Windows XP Professional
How can I discover a hacker's IP address?
How to set up a network with Windows security in mind
How to use GPOs to deny folder permissions
How can I run third-party antivirus software?
How can I detect IP addresses that connect to IIS?
Sharing files and folders in Windows XP

Protocols and Services
Vista SP1 vs. XP SP3 -- upgrade or business as usual?
How to generate actions from events in Microsoft Vista
Blocking peer-to-peer applications
Step 1: Blocking peer-to-peer applications
Multiple Connections - Management
Step-by-step guide: Elevating privileges for an administrator
Checklist: Protecting users from themselves
WinDump: The tcpdump tool for Windows
Client hardening
Employee gadgets pose security risk to companies

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT DownloadsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2004 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts