⚑ Deus Ex Machina ➽ Eventlog Lookup

Deus Ex Machina » Eventlog » Event 100 - MSFTPSVC

MSFTPSVC - 100


Warning

Description »
The server was unable to logon the Windows NT account 'USER99' due to the following error: Logon failure: account currently disabled.  The data is the error code.
Data formatted as » WORDS
0000: 00000533 

This event is logged when the FTP service is unable to log a user account on. In this example, the reason is that the account has been disabled. The data section reflects this (0x533 = decimal 1331 = Logon failure: account currently disabled).

You might also see other text in this event. For example, you may see The server was unable to logon the Windows NT account 'USER42' due to the following error: Logon failure: unknown user name or bad password - which would be accompanied by 0x52e in the data section (decimal 1326 = Logon failure: unknown user name or bad password).

The event ID remains the same if the FTP service is unable to authenticate an account, regardless of the reason for the failure.

At the same time (depending on your audit policy) you should see events 529 and 680 in the security log, which show you a little bit more information:

Event Type:	Failure Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	529
Date:		14/01/2012
Time:		20:00:32
User:		NT AUTHORITY\SYSTEM
Computer:	FTPSERV08
Description:
Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	USER42
 	Domain:		NTDOMAIN
 	Logon Type:	8
 	Logon Process:	IIS     
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 	Workstation Name:	FTPSERV08
 	Caller User Name:	FTPSERV08$
 	Caller Domain:	NTDOMAIN
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	1932
 	Transited Services:	-
 	Source Network Address:	-
 	Source Port:	-



Event Type:	Failure Audit
Event Source:	Security
Event Category:	Account Logon 
Event ID:	680
Date:		14/01/2012
Time:		20:00:32
User:		NT AUTHORITY\SYSTEM
Computer:	FTPSERV08
Description:
Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	USER42
 Source Workstation:	FTPSERV08
 Error Code:	0xC000006A

Here, the NTSTATUS code of C000006A tells us the problem - the password is wrong (STATUS_WRONG_PASSWORD).