Ask the Expert

How to solve Windows security log mysteries

I see the following in the Windows security log of an XP system.

Event ID: 529
Logon Failure
Reason: Unknown user name or bad password.
User Name: 1A
Domain: Joejj21~Bcd
Logon Type: 2
logon Process:
Authentication Package: Negotiate
Workstation Name: XPSystem

It appears to me that the domain user is logging on to this system and typing the password together with the username.

I am puzzled as to why I would see "Joejj21~Bcd" in the Domain field instead of our domain name. Is someone trying to access another domain or is this a bug in Microsoft?

I also see Event ID 537 with the same User Name: 1A and Domain: Joejj21~Bcd when Event ID 529 occurred in the security log.

With something this odd, the first thing I'd do is scan the system for malware (viruses, spyware and rootkits). After that, you could look at the computer configuration (System/Computer Name) to ensure everything is set properly. Also, try searching the registry (via regedit) for the Joejj21~Bcd string to see if it's stored in any of the keys.

This was first published in November 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: