microsoft.public.windowsxp.security_admin
back to index
From: "Allan"
Date: Tuesday, October 30, 2007 12:11 AM
Subject: Re: Event 627 Failure of Change Password Attempt
"kn0tu"
news:3E9C3C41-7B7B-4E63-989A-EBDF9D27C8C0@microsoft.com...
> Allan,
>
> 1. During all of this the guest account was disabled. I never enabled it.
> 2. I changed the PW to the guest account immediately after loading
> Windows.
> I was running as Administrator. I have never changed it again.
>
> Thanks for your thoughts, they have helped me double check my work.
>
> --
> kn0tu
>
>
> "Allan" wrote:
>
>>
>> "kn0tu"
>> news:7784712C-A0D2-448B-9780-29907C92B7B0@microsoft.com...
>> >I am getting dozens of these entries in the Security Log with both
>> >Guest
>> >and
>> > ASPNET. This leads me to believe my machine has been hacked. Is this
>> > true?
>> >
>> > My machine is a Pentium 4 running XP SP2 Home and is up to date with
>> > patches, or so Microsoft Baseline Security Analyzer says. I have a
>> > firewall
>> > security suite which has a anti-virus component and it is up to date as
>> > well
>> > with about 276,000 signatures.
>> >
>> > The events I am getting are:
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Account Management
>> > Event ID: 627
>> > Date: 10/20/2007
>> > Time: 8:19:42 PM
>> > User: GATEWAY-DESKTOP\Owner
>> > Computer: GATEWAY-DESKTOP
>> > Description:
>> > Change Password Attempt:
>> > Target Account Name: Guest
>> > Target Domain: GATEWAY-DESKTOP
>> > Target Account ID: GATEWAY-DESKTOP\Guest
>> > Caller User Name: Owner
>> > Caller Domain: GATEWAY-DESKTOP
>> > Caller Logon ID: (0x0,0x11346)
>> > Privileges: -
>> >
>> >
>> > For more information, see Help and Support Center at
>> > http://go.microsoft.com/fwlink/events.asp.
>> >
>> >
>> > I have noticed other things like when I go to My Computer>Manage there
>> > is
>> > no way to set or modify privileges. Is this restricted in XP Home?
>> > --
>> > kn0tu
>> If you are not using the Guest account it can be disabled. If you want to
>> investigate this problem try logging on as an Administrator and changing
>> the
>> password on the Guest account. If that works properly (you may want to
>> look
>> in Event Viewer again) there may indeed be something wrong with your
>> software. I don't have any idea what to do about ASPNET logins.
>>
>>
It is good to know that the Guest account has been disabled and/or a
password has been set on it. I am actually more inclined to think that this
may be a programming error but not necessarily a dire security threat. If
you want to verify further that your settings have not been modified, try
downloading and running HijackThis :
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis . I
installed it on my own machine this evening in order to try it out and after
reading your posts. You may want to review all application programs that are
installed and that run at startup automatically. By the way, do you have a
local network set up?
Have you ever run the Belarc Advisor to inventory/audit your computer ? Try
this link : http://www.belarc.com/free_download.html . Install the Advisor
and review the output, printed out if desired.
