Problem solve Get help with specific problems with your technologies, process and projects.

How to solve Windows security log mysteries

Don't rule out malware when faced with peculiar security log entries. Get to the bottom of logged events with this Windows security advice.

I see the following in the Windows security log of an XP system.

Event ID: 529
Logon Failure
Reason: Unknown user name or bad password.
User Name: 1A
Domain: Joejj21~Bcd
Logon Type: 2
logon Process:
Authentication Package: Negotiate
Workstation Name: XPSystem

It appears to me that the domain user is logging on to this system and typing the password together with the username.

I am puzzled as to why I would see "Joejj21~Bcd" in the Domain field instead of our domain name. Is someone trying to access another domain or is this a bug in Microsoft?

I also see Event ID 537 with the same User Name: 1A and Domain: Joejj21~Bcd when Event ID 529 occurred in the security log.

With something this odd, the first thing I'd do is scan the system for malware (viruses, spyware and rootkits). After that, you could look at the computer configuration (System/Computer Name) to ensure everything is set properly. Also, try searching the registry (via regedit) for the Joejj21~Bcd string to see if it's stored in any of the keys.

Dig Deeper on Endpoint security management tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.