for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows XP.
on how to use the EventCombMT utility to search the event logs of multiple computers for account lockouts.
As per Microsoft: "The license metering client uses the currently logged on user account to authenticate and connect to the license metering server to copy log files. If that user's account is disabled, locked out, or otherwise invalid, the license metering client attempts hundreds of logon attempts on the license metering server, and this creates very large security log files". See ME287626
to fix this problem.
As per Microsoft: "If you try to open a Web site on a Microsoft Internet Information Services (IIS) Web server by using the FrontPage client while either the IUSR_computer or IWAM_computer account is turned off this event may be logged in your event log. This happens because the IUSR_computer and IWAM_computer accounts must be turned on for IIS to function correctly". See ME321448
for more details.
See "Trend Micro Support Solution ID: 1031378" if you tried to run the Trend Micro Vulnerability Scanner (TMVS).
From a newsgroup post, from a Microsoft Engineer: "Some rules of thumb:
1) Ignore single bad password events. If it only happens once, it's probably not worth investigating.
2) When examining logon failures, go to the workstation that is generating the bad requests and look for something there, particularly a service.
3) Don't assume it's a hacker until you rule out everything else".
From a newsgroup post, from a Microsoft Engineer:
"529 is a failure event (bad username or password) in the "Logon/Logoff" category of audits – it is generated when the creation of a logon session (and token) fails, on the machine where access was attempted.
681 is a failure event (account logon failure) in the "Account Logon" category of audits - it's generated when a security package authenticates your credentials. This occurs on the machine authoritative for the account being used - the local machine in the case of local accounts or a Domain Controller in the case of domain accounts. There is no corresponding logoff event for Account Logon events.
When you log on to a domain, it's typical to see both kinds of events on the DC and the first kind (logon/logoff) on the workstation. The DC generates an account logon event when it validates your credentials. The workstation generates a logon/logoff event when it receives the DC's response and allows you to log on. The DC then generates one or more logon/logoff events as your workstation connects to it to download your login scripts, user profile, etc".