IP address shows as a hyphen for failed remote desktop connections in Event Log

Posted by PsychoDad on Stack Overflow See other posts from Stack Overflow or by PsychoDad
Published on 2012-03-25T19:29:42Z Indexed on 2012/10/21 23:01 UTC
Read the original article Hit count: 234

I am trying to figure out why failed remote desktop connections (from Windows remote desktop) show the client ip address as a hyphen. Here is the event log I get when I type the wrong password for an account (the server is completely external to my home computer):

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-25T19:22:14.694177500Z" />
    <EventRecordID>1658501</EventRecordID>
    <Correlation />
    <Execution ProcessID="544" ThreadID="12880" />
    <Channel>Security</Channel>
    <Computer>[Delete for Security Purposes]</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">[Delete for Security Purposes]</Data>
    <Data Name="TargetDomainName">[Delete for Security Purposes]</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">MyComputer</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Have found nothing online and am trying to stop terminal services attacks. Any insight is appreciated, I have found nothing online after several hours of seraching...

© Stack Overflow or respective owner

Related posts about windows-server-2008

Related posts about event-log