JSI Tip 4716. Windows XP records multiple logon audit events when the welcome screen is enabled?


When you audit logons, and have the welcome screen enabled on your Windows XP Professional, you may record Security events that are similar to:

Event Type: Failure Audit 
Event Source: Security 
Event Category: Logon/Logoff 
Event ID: 529 
Date: date 
Time: time 
User: NT AUTHORITY\SYSTEM 
Computer: <Computer Name> 
Description: Logon Failure 
Reason: Unknown user name or bad password 
User Name: <User Name> 
Domain: <Computer Name> 
Logon Type: 2 
Logon Process: Advapi 
Authentication Package: Negotiate 
Workstation Name: <Computer Name> 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. 


Event Type: Failure Audit 
Event Source: Security 
Event Category: Account Logon 
Event ID: 680 
Date: date 
Time: time 
User: NT AUTHORITY\SYSTEM 
Computer: <Computer Name> 
Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 
Logon account: <User Name> 
Source Workstation: <Computer Name> 
Error Code: 0xC000006A 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. 


Event Type: Success Audit 
Event Source: Security 
Event Category: Account Logon 
Event ID: 680 
Date: date 
Time: time 
User: NT AUTHORITY\SYSTEM 
Computer: <Computer Name> 
Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 
Logon account: <User Name> 
Source Workstation: <Computer Name> 
Error Code: 0x0 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Windows XP performs a limited logon for each account that is listed on the Welcome screen, so it will knows whether to prompt for a password.

If you don't want these events, disable the Welcome screen and use the Classic logon screen, or turn off auditing of logon/logoff events:

1. Start / Run / gpedit.msc / OK.

2. Navigate to Local Computer Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policy \ Audit Policy

3. Double-click Audit logon events and clear the Success and Failure boxes.

4. Press OK.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish