Discussion:
Logon Type 2, Process Advapi, Package MSV1_0
(too old to reply)
m***@yahoo.co.uk
2006-06-20 10:48:09 UTC
Permalink
Hi. I'd like to know if anyone has any clue as to what's behind the
logon failure event below. I know that Type 2 is interactive but
account name is a computer account - how can one computer log on
interactively to another? I thought you needed a keyboard and mouse to
do that!! Why is there no domain information recorded (we are running a
2000/2003 AD domain) Also, I cannot find any explanation for the Advapi
process being used in conjunction with the MSV1_0 package - the target
server is not running IIS! Is there any activity or software which is
known to produce this event??

Logon Failure:
Reason: Unknown user name or bad password
User Name: <workstation_name$>
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <target_server_name>
Caller User Name: <target_server_name$>
Caller Domain: <AD_Domain>

I'm fairly sure that this is not malicious activity - but I'd prefer to
know exactly what it is in order to classify it, since my company has
VERY strict auditing/logging/monitoring requirements. Have already
visited eventid.net, windowssecurity.com, microsoft and various others
- does anyone have experience with this?

Any help welcome.
Roger Abell [MVP]
2006-06-20 15:11:36 UTC
Permalink
Use of a machine's keyboard is one example of a type 2 login.
An remote desktop login requires the local login right (ie. type2),
web content authoring via FrontPage server extensions does, etc.

What you report is peculiar, yes. The first thing I would do is
examine the source machine, apparently named workstation_name.
Aside from overall condition I would also be looking closely at all
installed services that run as the local system or as network service,
especially non-Microsoft ones. If workstation_name is a member
of AD_domain then the originating software is calling incorrectly,
while if not then it should know better, that the call for login would
not work.
Post by m***@yahoo.co.uk
Hi. I'd like to know if anyone has any clue as to what's behind the
logon failure event below. I know that Type 2 is interactive but
account name is a computer account - how can one computer log on
interactively to another? I thought you needed a keyboard and mouse to
do that!! Why is there no domain information recorded (we are running a
2000/2003 AD domain) Also, I cannot find any explanation for the Advapi
process being used in conjunction with the MSV1_0 package - the target
server is not running IIS! Is there any activity or software which is
known to produce this event??
Reason: Unknown user name or bad password
User Name: <workstation_name$>
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <target_server_name>
Caller User Name: <target_server_name$>
Caller Domain: <AD_Domain>
I'm fairly sure that this is not malicious activity - but I'd prefer to
know exactly what it is in order to classify it, since my company has
VERY strict auditing/logging/monitoring requirements. Have already
visited eventid.net, windowssecurity.com, microsoft and various others
- does anyone have experience with this?
Any help welcome.
m***@yahoo.co.uk
2006-06-21 13:40:45 UTC
Permalink
Hi Roger thanks for your reply. There are a couple of workstations
exhibiting this behaviour, so my suspicion is that it is 3rd party
software installed on them causing this. I shall have a look at them
and see if there's anything that jumps out at me (obviously will check
for nasties!)

Regarding your first paragraph, as far as I am aware, although Remote
Desktop requires local logon rights, the actual logon event should be
recorded as a type 10, shouldn't it?

Thanks
Roger Abell [MVP]
2006-06-21 13:54:08 UTC
Permalink
Good luck in your checking those machines.
Yes, I believe you are correct, that with later systems, the login
type for TS has been separated out as a distinct type, although
the local login right is still needed, apparently to enable create
of the winstation session.
Post by m***@yahoo.co.uk
Hi Roger thanks for your reply. There are a couple of workstations
exhibiting this behaviour, so my suspicion is that it is 3rd party
software installed on them causing this. I shall have a look at them
and see if there's anything that jumps out at me (obviously will check
for nasties!)
Regarding your first paragraph, as far as I am aware, although Remote
Desktop requires local logon rights, the actual logon event should be
recorded as a type 10, shouldn't it?
Thanks
Loading...