Announcement

Collapse
No announcement yet.

How to find the process which locked user on Windows 7?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to find the process which locked user on Windows 7?

    With lockoutstatus.exe I've narrowed down on which DC the user is locked out.
    With event viewer and security log, I've found out that it's his computer.

    But how to find process which is doing such thing? OS is Windows 7 x64 and alockout.dll doesn't work, I've tried to copy the .dll and import .reg, but it gives a blank txt file in %systemroot%/debug

    Just to be more informative, user gets locked out on his first login attempt every morning at 8 am, and it lasts for 30 minutes, then he can log in. During that 30 mins, security log gets following events:
    680 - Logon attempt by MICROSOFT_AUTHENTICATION_PACKAGE (no workstation is specified, it's blank)
    675 - pre-authentication failed
    566 - Directory service access, with Default property set unixuserpassword user, access mask 0x100 (don't know what's that either)

    I'm suspecting on some virus or such, but don't know for sure

    Any help is appreciated!

  • #2
    Re: How to find the process which locked user on Windows 7?

    if is windows 7, is there entry under control panel - credentials manager

    my client have this problem and upon examine the security, found out is safari keep sending old password to our sharepoint server.

    might worth to remove all browser cache, password, history as well.
    hope it helps.

    Comment


    • #3
      Re: How to find the process which locked user on Windows 7?

      Checked it at start, it's not that.

      Comment


      • #4
        Re: How to find the process which locked user on Windows 7?

        Is the user account set as service account? Check the windows services to see if there is any service configured to run as that user.

        Comment


        • #5
          Re: How to find the process which locked user on Windows 7?

          do you have Services for Unix configured anywhere?
          Are you using a Squid proxy, or some other Linux-based server?
          have you rationalised all the applications installed on the computer?
          have you run malware scans on the computer?
          does someone else logging on to the computer have the same issue?
          does the user logging on to another computer have the same issue?
          have you mirrored the port and run a network capture to see if it tells you anything?
          Is this a user with wireless by any chance? I have a vague memory of some sort of wireless driver that needs to come up before domain logon can work.. and so needs domain credentials..
          any scheduled tasks ?
          does MSConfig run as his username show anything?
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment

          Working...
          X