4

I have this problem I just cant seem to find the source. My AD account keeps getting locked. Using lockout status and looking at the netlogon log i figured out which PC it is. I know which process is locking me: spoolsv.exe. Spoolsv.exe is running as system not as me but I get this log entry.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/28/2014 9:45:01 AM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      computer.MYDOMAIN.NET
Description:
A logon was attempted using explicit credentials.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x79F5
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
    Account Name:       [email protected]
    Account Domain:     
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Target Server:
    Target Server Name: FILESERVER.MYDOMAIN.NET
    Additional Information: FILESERVER.MYDOMAIN.NET

Process Information:
    Process ID:     0x544
    Process Name:       C:\Windows\System32\spoolsv.exe

Network Information:
    Network Address:    -
    Port:           -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4648</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-28T13:45:01.502850800Z" />
    <EventRecordID>308669</EventRecordID>
    <Correlation />
    <Execution ProcessID="784" ThreadID="5280" />
    <Channel>Security</Channel>
    <Computer>computer.MYDOMAIN.NET</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x79f5</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TargetUserName">[email protected]</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TargetServerName">FILESERVER.MYDOMAIN.NET</Data>
    <Data Name="TargetInfo">FILESERVER.MYDOMAIN.NET</Data>
    <Data Name="ProcessId">0x544</Data>
    <Data Name="ProcessName">C:\Windows\System32\spoolsv.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

I have no idea at all how to fix this. Thanks for any help you can give me.

Improve this question
9
  • 1
    Are you logged into "computer.MYDOMAIN.NET" when this happens? Any services on the computer set to login using the "[email protected]"? Have you scanned for Malware yet?
    – Ƭᴇcʜιᴇ007
    Commented Mar 28, 2014 at 15:29
  • No I'm not, someone else is logged in as another AD user, no services set to login as user "[email protected]". Yes i did scan for malware. with multiple scanner and even using a boot disk to check for rootkit. The printer spooler is started as SERVICE.
    – Benoit Bourgault
    Commented Mar 28, 2014 at 16:34
  • 4648 A logon was attempted using explicit credentials. See here: ultimatewindowssecurity.com/securitylog/encyclopedia/… This event is logged anytime an auth request is made using credentials that are different from the login used on the local machine.
    – MaQleod
    Commented Mar 28, 2014 at 16:37
  • I found that information too, my question is why is spoolsv.exe using those credentials. And how do i tell it not to use them anymore?
    – Benoit Bourgault
    Commented Mar 28, 2014 at 16:38
  • 3
    That is the print spooler. If you've printed using your AD credentials (say to a network printer on the domain), then spoolsv.exe will be using those credentials in order to complete your print request.
    – MaQleod
    Commented Mar 28, 2014 at 16:42

2 Answers 2

Reset to default
2

This is commonly from cached credentials used to access a network resource (as noted in comments)

You can remove the authenticated credentials from:

Control Panel\All Control Panel Items\User Accounts

click the username 1.To the left you will see Manage your credentials. From that select the share/resource name and remove

You will need to find any and all systems that use the credentials.

Improve this answer
4
  • I have already emptied mine and the user that locks me Credential Vault Doesnt fix the problem
    – Benoit Bourgault
    Commented Mar 28, 2014 at 18:15
  • How do I do that. And as you have seen from the event error i know that spoolsv.exe is contacting the fileserver with my credential. but how why it calls it using my credential?
    – Benoit Bourgault
    Commented Mar 28, 2014 at 19:37
  • 1
    Have you cleared it from all possible workstations? It would likely be a shared printer you accessed from a computer other than your usual one. Any chance you run a virtual machine somewhere? Have seen a copied VM cause this
    – Dave M
    Commented Mar 28, 2014 at 20:15
  • I was able to really identify that station as the problem by correlating my lockout with printing something or even just looking at printer properties. I dont get lock if that PC is not running. There is no VM on any PC here and I run some but they were all shut down. The fix will be to reinstall everything on that PC that should fix it but i'd rather figure out what is happening.
    – Benoit Bourgault
    Commented Mar 28, 2014 at 20:42
1

Try

psexec -i -s -d cmd
cmdkey /list

This shows if system account has any credentials stored, remove them with cmdkey /delete:target

e.g.

cmdkey /delete:192.168.1.2
Improve this answer
1
  • This is a great command. I did not know about it. Unfortunately it did not fix my issue and only replicate what you see by looking in the Credential Vault.
    – Benoit Bourgault
    Commented Jan 30, 2015 at 15:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .