How to determine why a user has failed to logon

By looking at the Security Event Log, and Event ID 529


In the above example, the user tried to logon to the computer while it was disconnected from the network.  You can tell this from the Logon Type of 11.

Other logon type values are as follows:

Logon Type Description
2 Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
3 Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
6 Proxy
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”)
9 New Credentials
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

Reference: Auditing User Authentication

15 Password Managers

Sorry - Your Password Isn't Not Long Enough

You might have seen this cartoon here before, but it’s worth repeating, as it’s that time of month.  Some organisations require passwords that are longer than the 12 digit codes needed to arm a nuclear weapon.

I’m not the first to notice this. Jesper M. Johansson wrote about in-actionable security advice in an Microsoft Technet magazine article series called Passwords and Credit Cards.

So how do people remember passwords?

  1. Write them down and stick them under a keyboard (aka Koolpin$Gorge*)
  2. Store them in a password spreadsheet/document?
  3. Use a password manager?

It’s option 3 for me.  I use the LastPass password manager. But here are some others to consider:

Name and download link Comments Free / Commercial?
1Password Version available for Macintosh, Windows, iPhone, iPad & Android.  It’s possible, via Dropbox, to sync your 1Password databases between your different systems. $49.95
AcrylicApps Wallet Mac and iOS only $9.99 (iOS) $19.85 (Mac)
LastPass I use this.  There is a portable version called “LastPass Pocket”.   Does form-filling as well. Free version.
Premium version adds mobile device support amongst other features.  $12 per year.
KeePass Free.  Open source.  Maintained. Free
Microsoft Credential Manager Free with Windows 7 & 8.  Stores Windows and website logons. Free
PassBox Windows only. $5
Passgen Written by the great Jesper M. Johansson.  Hosted by Steve Riley @ his old Microsoft Technet blog.
Not a password manager as such.
Passpack “Store logins to all online accounts. Share passwords on a need-to-know basis. 1 Click Login for everyone.“
They blog! (thanks Louise)
Non-free versions from $18 per year.
Password Gorilla Windows & Mac Free
Password Manager XP I know large companies which use this. $24.95
Password Minder Written by Keith Brown.  Worth a look.
Note: Download link here.
Password Safe As mentioned by Jesper.  Free.  Open Source. Free
RoboForm More of a "web form filling" application, but it stores passwords as well.   Multi-platform (ie. iPhone/Windows/Macintosh/Linux). Free.
RoboForm Everywhere adds multiple device support.  $9.95 per year.
Sticky Password Evolved from the multi-Pass password manager.  iPhone and Android version available as well.   “Sticky Password is now also supporting Android as well and is cloud based with option to choose offline version for those who do not like to have their data being synced over the cloud.” $12 per year.
UsableLogin Generate unique secure passwords for each website you login to.   Multi-platform. Free

* a server, for a sensitive organisation, had the server password stored under the server keyboard. Koolpin Gorge was where the server guy took his last annual leave.

edited 21 September: let’s make it 8 password managers, thanks for the comments folks.
edited 12 October: added Passgen tool description and link.
edited 27 May: added Password Minder.
edited 31st October: added Microsoft Credential Manager & Sticky Password
edited 7 May 2013: updated links/comments.  Added PassBox
edited 26 November 2013: Added Password Gorilla & Free/Commercial column.
edited 5 December 2013: Added AcrylicApps Wallet and updated the Sticky Password comments

Bookmark and Share

Bypassing Internet Explorer Group Policy lockdowns.

We lock down Internet Explorer, to prevent our non IT-savvy staff from changing settings which will break their internet access.  We apply those same settings to ourselves, which isn’t as bad as it sounds.  It ensures that when we make a Group Policy change, we’re impacted in the same way if it goes wrong.

But there are times when we need to bypass those settings.  One way we do that is by deleting the Group Policy Registry keys which control Internet Explorer.  We put the following in a .reg file and execute it:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

It works quite well.

Broken websites, and Microsoft update KB2661254

Did you know that Microsoft invalided/stopped the use of security certificates with a RSA key length of less than 1024 bits?  And they started doing this back in August 2012?  No, we missed that security bulletin too.  So we awoke to a broken website.
(it was the client PC which was broken, but everyone blames the website when they can’t get to it.)

We had deployed KB2661254 that is.

The first we heard of KB2661254 was when one of our support team logged a help desk call about the issue it causes.  The helpful Internet Explorer screen looked like this:
IE Broken

A quick look at the website certificate details confirmed the actual problem:

As this was an internal website, we were able to generate a new (larger) certificate fairly quickly.

Computer Associates eTrust ITM definitions not updating

I was researching (another) eTrust issue today, and found this (defunct) blog post by Brad Benner.  Thought I’d save it from the memory hole.

The virus definitions for one of our internal servers running Computer Associates eTrust ITM v8.0 hadn’t been updated since the last time we rebooted the server (about 45 days ago). I tried updating the definitions manually by right-clicking the eTrust ITM tray icon and clicking Download Updates Now and also restarting the eTrust ITM services – both to no avail.

In looking at the eTrust Distribution Events log, I noticed that the following message had been logged several times a day since the last server reboot:

An instance of the distribution program is running!

Continue reading

Active Directory User account being locked repeatedly

(I don’t know the answer to this yet, so this is just an dump of what I know.)

Customer reports that they’re Active Directory User account is being locked out 2->3 times a day.

  • They have “admin” rights on their PC.
  • They are using Microsoft SQL Management studio, which may/may not be triggering the account lock.
    Googling for some answers, hasn’t been successful.  Here is some of what Google returned.
    Microsoft Account Lockout and Management Tool & download link

    Tool Description
    LockoutStatus.exe The LockoutStatus.exe displays information about a locked out account. It does this by gathering account lockout-specific information from Active Directory.
    ALockout.dll The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. The tool attaches itself to a variety of function calls that a process might use for authentication. The tool then saves information about the program or process that is making those calls into the Systemroot\Debug\Alockout.txt file
    update 13 Sep 2012: sample log extract below.

    If account lockouts seem to happen most frequently after a user is forced to change their password, you may want to determine which users’ passwords are about to expire. You can use the ALoInfo.exe tool to display all user account names and the password age for those user accounts. This will allow you to use the ALockout.dll tool and other account lockout tools to set up the tools prior to the initial account lockout. You can also obtain a list of all local services and startup account information by using the ALoInfo.exe tool.


    You can use the AcctInfo.dll tool to add new property pages to user objects in the Active Directory Users and Computers MMC Snap-in. You can use these property pages to help isolate and troubleshoot account lockouts and to reset a users password on a domain controller in that user’s local site.


    You can use the EventCombMT.exe tool to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681.

    NLParse Because Netlogon log files may become more than 10 MB in size, you may want to parse the files for the information that you want to view. You can use the NLParse.exe tool to parse Netlogon log files for specific Netlogon return status codes.
    Alockout.txt log file (sample):

Continue reading

How to recover a “WiFi” password from a Windows PC.

Or, “I’ve forgotten my Wireless password and don’t know how to retrieve it from my Windows 7 PC.”

I didn’t either, until today.

The background was that a customer was trying to add an iPad to their home network, and wasn’t able to, because they forgot their WiFi password.  So they called up.

There are three ways I found to recover a WiFI password.

1. WirelessKeyView by NirSoft.
This utility works, but some anti-virus products report it as malware.  That is a bit of a put off for (less experienced) end users.

WirelessKeyiew has the advantage of working on Windows XP as well.

2. LastPass.
The LastPass password manager has a built-in WiFi password import tool.  It works very well, but the flaw with LastPass is that you need to convince your user to install it, which means getting the user to sign up for a free account.
Lastpass WiFi 

3. Use the built-in Windows “netsh” command.
From an administrator command line, type:
     netsh wlan export profile key=clear
and then press Enter.

Interface profile "GoldFish" is saved in file ".\Wireless Network Connection
-GoldFish.xml" successfully.

This will cause “Wireless profile file(s)” to be written to the current directory.  Here is the contents of the Wireless Network Connection file for my GoldFish WiFi network.

<?xml version="1.0"?>
<WLANProfile xmlns="">
                <keyMaterial>T-Man Colt 1911 These Boy Billards</keyMaterial>


My GoldFish WiFi is highlighted in blue above, between the <keyMaterial> fields.
ie. “T-Man Colt 1911 These Boy Billards”

Protecting the world’s information–NOT!

The hide

Oh the hide of Symantec, saying that they are “Protecting the world’s information”

In a PDF outlining the impact of its proprietary source code being stolen, Symantec recommends disabling pcAnywhere until the next update is issued. This warning includes users who are running pcAnywhere 12.0, 12.1 and 12.5, which is the latest version.
Symantec recommends disabling (Symantec’s) pcAnywhere after source code leak

Busted laptop–one of those Family/Friends/Neighbour deals.

The friend reported that their Windows 7 Dell laptop was bluescreen-ing.

Now this was going to be a post about how simple it was to fix, but as it turns out, it was one of the more difficult problems I’ve worked on. If it was a customer laptop, I would have just re-imaged it and that would have been that. But as it was for a friend, there was the issue of no Dell Recovery Disks and no backups. And there was the small matter of pride involved …

Long story short:
The laptop had two viruses, removing those viruses broke the Dell Recovery partition and the laptop now constantly blue screened. I created a custom Windows 7 install USB stick to fix the laptop.

The long story follows below

Loading up the Action Center, the Bluescreen code was 0000001E. Windows 7 suggested that the fix was Microsoft Security Advisory: Update for the Windows Operating System Loader. But before applying that patch, I ran the Malicious Software Removal Tool. It found the Trojan:DOS/Alureon.a virus.

The laptop had McAfee AV installed.
Now McAfee in my opinion is a piece of crap. Certainly didn’t do much protecting in this case. I grabbed a copy of Microsoft Security Essentials and installed it. It detected TrojanDownloader:Win32/Unruy.H

At the end of the scan, after trying to completely remove the virus, Microsoft Security Essentials suggested that I download the System Security Sweeper. Which has now been renamed Windows Defender Offline. Windows Defender Offline is, essentially a version of Microsoft Security Essentials, on it’s own boot CD/USB.

Windows Defender Offline removed the virus. But it broke the Dell Recovery partition, and Windows boot loader.

At this stage, if it was MY laptop, I would have just thrown on a generic Windows 7 Home Premium edition. But this was a friend’s Dell laptop which came bundled with Office 2010 and other stuff, such as webcam software. To give you some idea of the amount of extra “stuff” Dell bundled, consider this. A standard Windows 7 image file is 2.1GB in size. The Dell one? 6.1GB. Close to 3 times the size.

Remember earlier I said I didn’t have the Dell Recovery DVDs? The tech consensus is that “if you don’t have a copy of the Recovery DVDs, you’re screwed.“. And most of the time, they’d be right.
I had copies of the Dell image files (preload.wim & factory.wim). I didn’t have a way to create the Recovery DVDs. So I was stuck with a 6.1GB image file I couldn’t use. But I did have a generic Windows 7 Home Premium install USB stick.

The Windows 7 Home Premium install USB stick.
I created the USB stick from the Home Premium ISO file, by using the Windows USB creator utility. The reason for using a USB stick is that it allowed me to replace the generic install.wim image file with the Dell factory.wim image. And this worked! Yay for me! I was able to re-image the laptop with the Dell factory image.

After the new Dell install.
The first thing I did was install Windows Service Pack 1. It was a toss up between installing that first, or the Microsoft Security Essentials (MSE) anti-virus program. My thought was that it was better to get the SP1 done first, then install other programs on top of that.

The rest was easy. Installed the security updates for Windows 7, Acrobat Reader, Skype and assorted Dell utilities.

And I removed McAfee anti-virus. 🙂