Cannot Share External Hard Drive Over Network
OkayI have been troubleshooting this issue for hours andI am really at a loss of what to do next.I have connected an external hard drive to one of my computers. Then, I went into the Advanced Sharing options and turned on sharing. I ensured that another computer did not need a username/password to connect to my comptuer, and that Everyone had Full Control over the drive. Additionally, I turned on Network Discovery, File and Printer Sharing, Public Folder Sharing for my current profile (Home or Work). I did this on BOTH computers (the one that had the ext HD connected to it, and the other comptuer on the network that needed to connect to it).I always get some "Windows cannot access \\XXXX-PC\DriveName" When trying to connect, and some message about not having permission to access it, which is untrue, as I've made every possible adjustment to make it work. Hopefully one of you can point out something I am doing wrong. Thanks.
May 25th, 2009 9:29pm
tcheck8:Can you please post the exact phrasing of the message that says you don't have permission to access it? Also include any error codes or other details it may provide.Thank you,Nick
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2009 10:55pm
What kind of hard drive do you have? Is it possible to have a "Lock" option on (like on usb pen drives)?Running Windows 7 RC1 32-bit on
AMD Athlon 64 X2 Dual Core 5000+ (2.70 GHz),
4 GB DDRII, onboard GeForce 6150SE nForce 430
May 25th, 2009 11:11pm
@Nick FV: The exact error message reads: Windows cannot access \\DEN-PC\NetworkYou do not have permission to access to \\DEN-PC\Network. Contact your network administrator to request access.For more information about permissions, see Windows Help and Support.@SavySB: It's a Westerdn Digital MyBook External Hard Drive...I don't believe it is possible to have a Lock option on, and I don't see one.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 4:06am
What about connecting using the administrative share name, i.e., \\SERVER\C$ and supplying any needed credentials? Also, with the firewall disabled?
May 26th, 2009 11:18am
Ensure that all of the computers are in the same Workgroup.Start>Right click>Computer>select Properties. You should be in Control Panel>System and Security>System. If the Workgroup name is different than the host computer click on the Change Settings and change the Workgroup name to match. Close out and reboot. You should be able to see the shared drive.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 3:52pm
@Ryan Capp: Do you mean typing the drive's location in Windows Explorer? If that's what you mean, I have tried that, and I am still denied access. And should the firewall really be an issue, as I only use Windows Firewall (and AVG Free's, if it even has one). I'll try disabling it and see if that works, though.@Nano Warp: I have checked, and they are both apart of the workgroup "WORKGROUP" I guess that's not the issue, either.It's so weird. Everything was working one day, but just randomly stopped.
May 26th, 2009 7:49pm
I'm assuming you're not using Windows Explorer then? If so, add the computer (\\DEN-PC) to Internet Explorer's trusted sites list.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 8:38pm
What OS is the host computer (the one with the external hard drive connected) and what OS is the computer that can't access the hard drive over the network? This might help us diagnose your problem.-Nick
May 27th, 2009 1:43am
@Ryan Capp: Yes, the only thing I was using to try and connect to the drive was via Windows Explorer. And I don't think it's an issue on the recipient computer, as it's the host computer that is denying access. I've switched the location of the drive (and put it on the recipient computer) and it still gave me an error. Maybe that detail will help. @Nick FV: Both computers are running the latest versions of Windows 7 RC.
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2009 2:59am
Run this command from an elevated command prompt:wevtutil qe Security "/q:*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (band(Keywords,9007199254740992))]]" /f:text > C:\audit.txtThis will output all security audit failures and save it to C:\audit.txt with the newest events towards the bottom.EDIT: Forgot to mention to do it on the remote computer. You can try it on the sending end too, but I don't think it would throw a security failure audit since it's not the one processing the request.Sample event:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Moon
Account Domain: HOME
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: nobelium
Source Network Address: 192.168.1.2
Source Port: 58731
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
May 27th, 2009 3:47am
I ran that command and looked at the file. I did a Ctrl + F for "failed" and the search turned up empty.
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2009 5:24am
Well they're all failures if it created the file, otherwise it would be blank. Post the file here when you have a chance.
May 27th, 2009 8:44am
You didn't specify which MyBook product that you have, but I don't think it matters. The drive has factory installed software (utilities). Also you may have software and photos stored on the drive. The new AUTOPLAY security features could be blocking the drive. Does the autoplay dialog appear when you connect it to the host computer?Do you actually need the utilities included with the drive?If you don't use the utilities, cut (ctrl-x) themfrom the drive and store them in a new folder on the main drive for possible future use. (WD also has the software available for download)Virus scan the drive to ensure it is clean. (Kaspersky has a technical preview available for Win 7. Search "Kaspersky-Win 7" to find thefree download)Check the drive in disk management. It is factory formatted in FAT 32. If that is still the case you may want to move your stored data and reformat the drive to NTFS. Go to Western Digital support for the product and search the knowledge base for ID 3322. ( Don't assign a drive letter during the process)I use generic external enclosures (e-Sata or usb) and raw hard drives to avoid these issues. I have connected and network shared all of my external drives without issue.It seems that you are at the try anything stage, so I thought I'd offer this after researching the drive product and Win 7 features. Good Luck!
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2009 3:28pm
@Ryan Capp: The file is pretty huge, so I just copied/pasted the last few events. I tried doing them all, but my browser crashed on me.
Event[2659]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T16:46:49.159
Event ID: 4672
Task: Special Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event[2660]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T17:08:46.150
Event ID: 4648
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Brianna
Account Domain: LAPTOP1-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x950
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: 127.0.0.1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event[2661]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T17:08:46.150
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 7
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1000
Account Name: Brianna
Account Domain: LAPTOP1-PC
Logon ID: 0xd152ff
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x950
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2662]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T17:08:46.150
Event ID: 4634
Task: Logoff
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was logged off.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1000
Account Name: Brianna
Account Domain: LAPTOP1-PC
Logon ID: 0xd152ff
Logon Type: 7
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event[2663]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:28:38.104
Event ID: 4648
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Brianna
Account Domain: LAPTOP1-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x950
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: 127.0.0.1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event[2664]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:28:38.104
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 7
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1000
Account Name: Brianna
Account Domain: LAPTOP1-PC
Logon ID: 0xd822a0
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x950
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2665]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:28:38.104
Event ID: 4634
Task: Logoff
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was logged off.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1000
Account Name: Brianna
Account Domain: LAPTOP1-PC
Logon ID: 0xd822a0
Logon Type: 7
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event[2666]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:30:08.145
Event ID: 4648
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x518
Process Name: C:\Windows\System32\consent.exe
Network Information:
Network Address: ::1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event[2667]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:30:08.145
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xd9516a
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x518
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2668]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:30:08.145
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xd95182
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x518
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2669]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:30:08.145
Event ID: 4672
Task: Special Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xd9516a
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event[2670]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:30:08.145
Event ID: 4634
Task: Logoff
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was logged off.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xd95182
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event[2671]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:31:33.681
Event ID: 4648
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x348
Process Name: C:\Windows\System32\consent.exe
Network Information:
Network Address: ::1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event[2672]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:31:33.681
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xda5601
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x348
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2673]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:31:33.681
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xda560f
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x348
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2674]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:31:33.681
Event ID: 4672
Task: Special Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xda5601
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event[2675]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:31:33.681
Event ID: 4634
Task: Logoff
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was logged off.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xda560f
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event[2676]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:33:42.140
Event ID: 4648
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x15ac
Process Name: C:\Windows\System32\consent.exe
Network Information:
Network Address: ::1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event[2677]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:33:42.140
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xdc40ea
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x15ac
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2678]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:33:42.140
Event ID: 4624
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xdc4102
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x15ac
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[2679]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:33:42.140
Event ID: 4672
Task: Special Logon
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xdc40ea
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event[2680]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:33:42.140
Event ID: 4634
Task: Logoff
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account was logged off.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0xdc4102
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
@Nano Warp: I think this is a MyBook Essential. I removed all the utilities it came with, and have quick formatted the drive to NTFS several times. The only files I may have on the drive are partial backups that were interrupted (due to this networking problem). As for autoplay, the only thing that pops up when I plug in the drive is a little Windows dialog that asksme what I'd like to do; the only option is to view the files with Windows Explorer. I just ran a Disk Check for file system errors and bad sectors, and everything came up okay. There are no viruses on the drive, I know that. I recently bought a raw HD and enclosure for a friend, but since I have these, I really don't need anything like that at this time. I mean, really, this drive should work as well as any other, and for a time, it did.Oh, and another bit of information: I can access the DEN-PC Shared folder via the network (the one that is automatically setup in Windows), but not the external drive.
May 28th, 2009 5:49am
Whoops, that should be band(Keywords,4503599627370496):wevtutil qe Security "/q:*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (band(Keywords,4503599627370496))]]" /f:text > C:\audit.txtJust to make sure it collects logon information, enable logon auditing:http://technet.microsoft.com/en-us/library/cc787567(WS.10).aspx
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2009 6:14am
Okay, I'll do this in a bit and let you know of my result. Thanks for all the help so far.
May 28th, 2009 6:25am
Event[14429]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:06:40.385
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Brianna
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: Account logon time restriction violation.
Status: 0xc000006e
Sub Status: 0xc000006f
Process Information:
Caller Process ID: 0x14cc
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14430]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:06:46.032
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Brianna
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: Account logon time restriction violation.
Status: 0xc000006e
Sub Status: 0xc000006f
Process Information:
Caller Process ID: 0x14cc
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14431]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:07:45.484
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Brianna
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: Account logon time restriction violation.
Status: 0xc000006e
Sub Status: 0xc000006f
Process Information:
Caller Process ID: 0x14cc
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14432]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:11.548
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14433]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:12.036
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14434]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:12.238
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14435]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:12.270
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: ASPNET
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14436]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:12.582
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Brianna
Account Domain:
Failure Information:
Failure Reason: Account logon time restriction violation.
Status: 0xc000006e
Sub Status: 0xc000006f
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14437]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:12.628
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Guest
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xc000015b
Sub Status: 0x0
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14438]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:12.816
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14439]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:16.872
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14440]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:17.028
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14441]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:17.074
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: ASPNET
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14442]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:17.262
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Brianna
Account Domain:
Failure Information:
Failure Reason: Account logon time restriction violation.
Status: 0xc000006e
Sub Status: 0xc000006f
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14443]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:17.293
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Guest
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xc000015b
Sub Status: 0x0
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14444]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:17.449
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14445]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-26T21:08:20.141
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-21-95786322-3910057392-393681453-1001
Account Name: Thomas
Account Domain: LAPTOP1-PC
Logon ID: 0x3adb8
Logon Type: 4
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xedc
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14446]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:30:08.145
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 11
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000010b
Sub Status: 0x0
Process Information:
Caller Process ID: 0x518
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14447]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:31:33.666
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 11
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000010b
Sub Status: 0x0
Process Information:
Caller Process ID: 0x348
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14448]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T19:33:42.140
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 11
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000010b
Sub Status: 0x0
Process Information:
Caller Process ID: 0x15ac
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14449]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T21:11:33.533
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 11
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000010b
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1510
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event[14450]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2009-05-27T21:15:10.345
Event ID: 4625
Task: Logon
Level: Information
Opcode: Info
Keyword: Audit Failure
User: N/A
User Name: N/A
Computer: Laptop1-PC
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: LAPTOP1-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 11
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Thomas
Account Domain: LAPTOP1-PC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000010b
Sub Status: 0x0
Process Information:
Caller Process ID: 0xd88
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: LAPTOP1-PC
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested
The image was helpful, thanks.
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2009 7:20am
Quickly scanning through, here arethe errors I see so far:Account logon time restriction violation. (5 events)Unknown user name or bad password. (8 events)Account currently disabled. (2 events)The user has not been granted the requested logon type at this machine. (2 events)An Error occured during Logon. (5 events)
May 28th, 2009 7:56am
Okay, I'm going back over and gathering more info:Administrator - Account currently disabled.ASPNET - Unknown user name or bad password.Brianna - Account logon time restriction violation.Guest - The user has not been granted the requested logon type at this machine.Thomas - Unknown user name or bad password.So whichever account you're using, that account needs to be one of the following:
Enabled
Added
Time unrestricted
EDIT: It looks like the account Thomas is first called by Explorer.exe using a Logon Type 4 (Network) and followed by Administrator and ASPNET.
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2009 8:05am
Also, when you said you made it so you don't need a username/password, where exactly did you do so? Because I only recall anonymous network access to public folders, unless youallow everyone's permissions to apply to anonymous users:Network access: Let everyone's permissions apply to anonymous users This policy controls the access that anonymous users have once connected. In previous versions of Windows, anonymous users were provided with the SID for the Everyone group on the authentication token, allowing them to access everything that the Everyone group had access to. In Server 2003, the default configuration is to remove the Everyone group SID from the token generated for an anonymous user. This provides added protection for anonymous users attempting to access resources. Once this policy is set, anonymous users will only be able to access resources for which the anonymous user has been explicitly given permission.http://www.windowsecurity.com/articles/Anonymous-Connections.htmlThese are the only advanced sharing options I see:
May 28th, 2009 8:31am
The Administrator and ASPNET accounts were standard accounts when I installed Windows 7. I've left the Administrator account disabled (and ASPNET in its current state). Additionally, Brianna (Standard Account) used to have time restrictions, but they were removed a few days ago. I've used the account Thomas (Administrator Account) to try and access the drive, and I've still gotten that error message. And as for the Advanced sharing connections, here are my settings: Network discovery: On File and printer sharing: On Public folder sharing: On Media streaming: Off File sharing connections: Use 128-bit encryption Password protected sharing: Off HomeGroup connections: Allow Windows to manage homegroup connections I'll read up on that security article you gave me, too.
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2009 6:04pm
Okay, I read that article, and I'm not really sure how it applies to me...Should I create an "Anonymous" group on the host computer, rather than just the original "Everyone?"
May 28th, 2009 6:21pm
If both computers are running Windows 7, I would just go ahead and use a HomeGroup and add the drive to one (or more) of my libraries. Otherwise, you'd have to set anonymous access to the everyone group using a security policy (or even better, createan accounton the computer which then can be set/scripted to auto-logon to the share).
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2009 9:31pm
God, all this for a networked drive? Isn't Windows 7 supposed to be user friendly? I'm sure what I'm trying to do isn't that out of the ordinary, so it's odd that I'm having so much trouble. I'm trying to use this drive to backup all my computers in my home. I don't think the HomeGrouping thing will work for what I'm trying to do...or will it? And how would I go about setting anonymous access to the everyone group? That sounds like the best option for me.
May 28th, 2009 9:35pm
In the past I've just used one-task accounts for backup, e.g., BackupUser/somepass on the computer hosting the backupsand then just set the program to use the account (with the drive sharedonly for that account). If the program doesn't allow username/passwords you can just make a logon script that sets it:net use Z: \\backup-pc\backup/user:BackupUser "somepass"EDIT: What backup software are you planning to use anyway?EDIT2: Windows Backup allows for a username/password.
EDIT3: Just found some documentation stating that the Guest account must be enabled to use "Password protected sharing: off" feature. Although, I'd still just use a username/password on the remote machine and have the program specify credentials as you're not blowing all your security right out the door.
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2009 9:46pm
Well, in order to even use password protected sharing, I would have to be able to first access the drive itself, which isn't even available now. Correct?And I am using Windows Backup, and since I turned off password protected sharing, I just used the logon credentials for the account on the remote computer. That's what Windows Help recommneded if I didn't have anything else to use...
May 29th, 2009 12:14am
It's forcing all connections through the guest account, which is disabled by default. I'd just turn password protected sharing back on and create a new account on the other machine just for backup.
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2009 12:54am
Alright, I'll try this and let you know of my result.
May 29th, 2009 2:04am
It worked! I added a password protected Administrator account to the host computer, logged onto the remote computer (with the same username and password), and it authenticated flawlessly. Thank you so much for your help; it has *really* been appreciated. Now, off to search the forums for another issue I'm having... Thanks again!
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2009 2:15am
It's stunning to read this log in regards to this issue. Windows really dropped the ball in regards to external drive backups. Why didn't they use the easy-to-use feature from the now-dead OneCare?
June 27th, 2010 6:19pm