How to solve Windows security log mysteries

How to solve Windows security log mysteries

I see the following in the Windows security log of an XP system.

Event ID: 529
Logon Failure
Reason: Unknown user name or bad password.
User Name: 1A
Domain: Joejj21~Bcd
Logon Type: 2
logon Process:
Authentication Package: Negotiate
Workstation Name: XPSystem

It appears to me that the domain user is logging on to this system and typing the password together with the username.

I am puzzled as to why I would see "Joejj21~Bcd" in the Domain field instead of our domain name. Is someone trying to access another domain or is this a bug in Microsoft?

I also see Event ID 537 with the same User Name: 1A and Domain: Joejj21~Bcd when Event ID 529 occurred in the security log.

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

With something this odd, the first thing I'd do is scan the system for malware (viruses, spyware and rootkits). After that, you could look at the computer configuration (System/Computer Name) to ensure everything is set properly. Also, try searching the registry (via regedit) for the Joejj21~Bcd string to see if it's stored in any of the keys.

This was first published in November 2007

Back to top