A
Alex MRSN
Guest
Hello *,
I am currently trying to implement a MS Windows log integration for an application I am working on.
I've noticed that if a failed Windows login attempt event is generated for a Microsoft account there is nothing in the Account For Which Logon Failed part. Here is an example:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: ALEXPC$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: -
Account Domain: -
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC0000380
Process Information:
Caller Process ID: 0x8f4
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Keep in mind that this is a local machine attempt.
Is this intended behavior or is there any setting for enabling the fetch of at least an Account Name or SID?
Thank you.
Continue reading...
I am currently trying to implement a MS Windows log integration for an application I am working on.
I've noticed that if a failed Windows login attempt event is generated for a Microsoft account there is nothing in the Account For Which Logon Failed part. Here is an example:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: ALEXPC$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: -
Account Domain: -
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC0000380
Process Information:
Caller Process ID: 0x8f4
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Keep in mind that this is a local machine attempt.
Is this intended behavior or is there any setting for enabling the fetch of at least an Account Name or SID?
Thank you.
Continue reading...