Q

How to solve Windows security log mysteries

Don't rule out malware when faced with peculiar security log entries. Get to the bottom of logged events with this Windows security advice.

I see the following in the Windows security log of an XP system.

Event ID: 529
Logon Failure
Reason: Unknown user name or bad password.
User Name: 1A
Domain: Joejj21~Bcd
Logon Type: 2
logon Process:
Authentication Package: Negotiate
Workstation Name: XPSystem

It appears to me that the domain user is logging on to this system and typing the password together with the username.

I am puzzled as to why I would see "Joejj21~Bcd" in the Domain field instead of our domain name. Is someone trying to access another domain or is this a bug in Microsoft?

I also see Event ID 537 with the same User Name: 1A and Domain: Joejj21~Bcd when Event ID 529 occurred in the security log.

With something this odd, the first thing I'd do is scan the system for malware (viruses, spyware and rootkits). After that, you could look at the computer configuration (System/Computer Name) to ensure everything is set properly. Also, try searching the registry (via regedit) for the Joejj21~Bcd string to see if it's stored in any of the keys.

This was first published in November 2007

Dig deeper on Endpoint security management tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close