Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Unknown Logon from a PC in my network

1 Week Ago   #1
Microbell

Windows 7 Pro 64bit SP1+Updates
 
 
Unknown Logon from a PC in my network

Greetings Gents,

I have an issue I'm trying to resolve with a logon (Type 3) from another PC (In my Workgroup) through my network to my main PC and can't seem to prevent this logon from occurring through the Local Security Policy settings so I don't know if it's a normal Windows process from the networked PC or an outside force attempting to attack my highly secured PC through the network homegroup.

Network:

All 3 PC's running Windows 7 Pro64 bit and Ultimate32 bit connected to a router.... Cisco DPC3848VM which also controls 3 TIVO boxs and the main PC is sharing NOTHING with the other PC's. Two PC's are direct connect through ethernet cable and the problem PC through wireless TPCLink network card Below is the eventlog I'm addressing.

Code:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		ANONYMOUS LOGON
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0x4e2d2
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V1
	Key Length:		0

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4624</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2017-08-12T17:38:51.393200100Z" /> 
  <EventRecordID>52245</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="808" ThreadID="884" /> 
  <Channel>Security</Channel> 
  <Computer>Microbell-PC</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data> 
  <Data Name="SubjectUserName">-</Data> 
  <Data Name="SubjectDomainName">-</Data> 
  <Data Name="SubjectLogonId">0x0</Data> 
  <Data Name="TargetUserSid">S-1-5-7</Data> 
  <Data Name="TargetUserName">ANONYMOUS LOGON</Data> 
  <Data Name="TargetDomainName">NT AUTHORITY</Data> 
  <Data Name="TargetLogonId">0x4e2d2</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">NtLmSsp</Data> 
  <Data Name="AuthenticationPackageName">NTLM</Data> 
  <Data Name="WorkstationName" /> 
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">NTLM V1</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x0</Data> 
  <Data Name="ProcessName">-</Data> 
  <Data Name="IpAddress">-</Data> 
  <Data Name="IpPort">-</Data> 
  </EventData>
  </Event>
I have several of these in event viewer and notice the log on ID's tend to change...

Logon ID: 0x3c7d85b
Logon ID: 0x3b39a89
Logon ID: 0x3b39a65
Logon ID: 0x39b183f

I've disabled the Guest Account and show only one account as being active and made sure no drive was sharing anything. Ran many tools on the problem PC which includes FRST (deep scan tool) looking for malware/hacks and can find nothing. I can't find anything in Wireshark logs that shows data is being moved but with the dam TIVO boxs talking all the time it's hard to weed though the logs even when you try and filter it.

Going backward through event logs this started around 6-25-2017 and I had no previous entries and no changes to the network or homegroup.

Anyone have an idea on whats going on? Can supply more info if needed. Please move the post to the correct subforum if I've posted in the wrong place.


My System SpecsSystem Spec
.
1 Week Ago   #2
samuria

win 8 32 bit
 
 

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.
My System SpecsSystem Spec
1 Week Ago   #3
Microbell

Windows 7 Pro 64bit SP1+Updates
 
 

Quote   Quote: Originally Posted by samuria View Post
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.
Thanks.

I do understand why it's being logged as type 3 but that still does not explain how other PC's that are powered off are logging on and as stated in my last post... all Sharing folders/drives/printers are OFF. For example I just powered up and have this listed again. All other PC's on the network are OFF.....meaning no other PC should be able to log on to this PC while powered OFF.

Correct?

Is this unknown account part of a "Super Account" on the base PC that I can't see and if it is would it not be logged under another type....say Type: 5, 2 or 4?

Or

Is it an attack from outside my network? This PC is pretty much locked down with Antivirus, Firewall, Sharing disabled and I'm constantly running tools and scans looking for new files/folders created and such so I'm pretty sure it's not malware on the PC.

Side Note:

I just removed myself (left) the Workgroup and renamed my local Workgroup and that event still occurs.
My System SpecsSystem Spec
.

1 Week Ago   #4
samuria

win 8 32 bit
 
 

Could it come from the router
My System SpecsSystem Spec
1 Week Ago   #5
Microbell

Windows 7 Pro 64bit SP1+Updates
 
 

Quote   Quote: Originally Posted by samuria View Post
Could it come from the router
Not sure...but would it not leave the routers IP address and not a blank space? I locked some more stuff stuff down in the Local Security Policy and removed some users groups (Everyone) on some of the drives and thought I might have it.

My logs last night only showed 3 failed logons from the deactivated "Guest" account (NONE today)by the time I was done but after logon today I had this....

Code:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		ANONYMOUS LOGON
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0x4605f
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V1
	Key Length:		0

I checked to make sure I still had "ANONYMOUS LOGON" blocked in the policy and it was... so I have no clue how that user is logging in. During some of my research on this I guess sometimes Windows uses this "ANONYMOUS LOGON" to logon but leaves a trace on what requested it. What concerns me is all the "Blank" info as I can't locate what/who is logging in.
My System SpecsSystem Spec
1 Week Ago   #6
samuria

win 8 32 bit
 
 

The "anonymous" logon has been part of Windows domains for a long time--in short, it is the permission that allows other computers to find yours in the Network Neighborhood, find what file shares or printers you are sharing, etc.

It is also why Windows admins say never to grant share permissions to the "Everyone" group (unless you know what you are doing), because "Everyone" also includes "no one"--er, ANONYMOUS. Rest assured that unless you

Anyway, in this case you probably want to lock it down with Registy settings or better yet, Local or Group Policies. Look in your policy editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions for the following options:

Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously
My System SpecsSystem Spec
1 Week Ago   #7
Microbell

Windows 7 Pro 64bit SP1+Updates
 
 

Quote   Quote: Originally Posted by samuria View Post
The "anonymous" logon has been part of Windows domains for a long time--in short, it is the permission that allows other computers to find yours in the Network Neighborhood, find what file shares or printers you are sharing, etc.

It is also why Windows admins say never to grant share permissions to the "Everyone" group (unless you know what you are doing), because "Everyone" also includes "no one"--er, ANONYMOUS. Rest assured that unless you

Anyway, in this case you probably want to lock it down with Registy settings or better yet, Local or Group Policies. Look in your policy editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions for the following options:

Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously

Thanks for the help Samuria....

Ok...this is what I have under those settings.....

Network access: Allow anonymous SID/Name translation [DISABLED]
Network access: Do not allow anonymous enumeration of SAM accounts [ENABLED]
Network access: Do not allow anonymous enumeration of SAM accounts and shares [DISABLED] <-----Needs Enabled*
Network access: Let Everyone permissions apply to anonymous users [DISABLED]
Network access: Named Pipes that can be accessed anonymously [BLANK SPACE nothing selected]
Network access: Shares that can be accessed anonymously [Not Defined]


So I only need to change the one with the * and that should lock down all users from accessing folders and files from the network? My goal here is to prevent outside network users whether on my network or internet from accessing all drives/folders on the PC as I've already removed myself from the home network (which should prevent that) and now dealing with internet/logon side of things.
My System SpecsSystem Spec
Reply

 Unknown Logon from a PC in my network




Thread Tools




Similar help and support threads
Thread Forum
Network Connection Shows Unknown Public Network
Hi: When I click on the wireless icon in the taskbar it shows connected to my home network and an unknown public network. However, in the network sharing center it shows both networks connected to the same SSID which I find strange. How do I get rid of the public unknown network? Also in windows...
Network & Sharing
Logon to different accounts on different computers on the same network
At my school you can logon to your account on any computer in the school. I want to do this for my computer and my brothers computer, but I don't know how.
Network & Sharing
Logon failure: Unknown user name or bad password
Puget Computers Problem 001 – 22 May 2011 Product Name: Puget 84252 Invoice Number: 00046473 dated 05/08/08 Date: 5/22/2011 Operating System: Windows 7 Home Premium SP-1 64-bit Processor: 3.4 Ghz, Intel Core i7 – 2600K Hard Drives: ...
General Discussion
Logon with / without network connection
Dear all, I am having an issue with a windows 7 laptop (premium) If I am connected to the network I am not able to logon. Once I disconnect the network cable I can logon and than I need to reconnect the cable again to be able to work properly. If I lock the screen and I want to unlock...
Network & Sharing
Logon Failure with Network Drive
I am unable to map a network drive (a Buffalo Terastation) because I always get the response :"logon failure - unknown user name or bad password" whenever I respond to the Terastation-generated logon request. I have named my workgroup HIHOME and all of my three computers (two on W7 and one running...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:59.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App