How to track which process is failing logons?

Posted by Massimo on Server Fault See other posts from Server Fault or by Massimo
Published on 2010-05-07T15:09:20Z Indexed on 2010/05/07 15:18 UTC
Read the original article Hit count: 266

Filed under:
|
|
|
|

Windows Server 2003, VMWare VirtualCenter 2.5.

Something is continuously trying to log on to VirtualCenter using a disabled domain account; the failed logon attempts are logged by VirtualCenter in its own logs and by Windows in the Security event log. This happens roughly every minute or two. The source of the logon attempts is 127.0.0.1, so it must be some process running on the server itself.

There are no services running as this user account and no scheduled jobs on the system. The task manager doesn't show any proces running under this account, either.

The user account's name is nowhere to be found in the Registry.

But some process is trying to use it, and failing. It probably is not some critical process, as everything looks fine; it could be something that was installed long ago and forgotten there. Whatever it is, it probably is running under another user account (possibly a system one), but is trying to log on to VC using those credentials, which are probably saved in some configuration file, since they're not stored in the Registry.

How can I track which process is trying (and failing) those logon attempts, either using Windows or VirtualCenter?

© Server Fault or respective owner

Related posts about Windows

Related posts about vmware