在如下所示的 4625 Windows 事件(登录失败)期间,谁实际输入了错误的凭据?
a) 是否是计算机上以 paulb 登录的用户错误地输入了管理员用户凭据?
或者 b) 是以管理员用户身份登录的用户错误地输入了 paulb 的凭据?
WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
M-P-BO-SOA1: An account failed to log on.
Subject:
Security ID: S-1-4-11-123456789-123456789-123456789-1234
Account Name: admin-user
Account Domain: WINSERVER01
Logon ID: 0x6772f
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: paulb
Account Domain:
Failure Information:
Failure Reason: %%2313
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xfb8
Caller Process Name: C:\Windows\System32\dllhost.exe
Network Information:
Workstation Name: WINSERVER01 Source
Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
答案1
帐户 admin-user(主体)尝试以 paulb 身份交互登录(登录类型 2),由于密码错误而失败(0xC000006d/0xC000006A)