SOLVED: File Server Errors Logon The host {SERVER} Is Now In State Warn As It Has X logon Errors Per Second. This Could Indicate a Password Cracking Attempt – Up & Running Inc – Tech How To's

Home
How To’s
- Windows 11 & Windows 10Windows 2000, XP, Vista, 7 and more How Tos
- Windows Serverwindows 2003, 2008, R2 how tos
- Microsoft 365, Azure & HostingHelp with Office 365 Issues
- Office: Word, Excel, Outlook…Office Apps like Word, Excel, Visio, Outlook, Project, Powerpoint, 2003, 2007 and 2010
- Mobile: Android, Samsung, LGBlackberry, BES, and BIS news and how tos
- Microsoft Exchange ServerExchange 2003, 2007, 2010 how to and demos
- System CenterEndpoint Protection
- JokesThis category is for I.T. relates gags and practical jokes
- Product Reviews & Other TechnologiesOther Technologies like firewalls, VoIP, Skype, Hardware Comparisons and other how tos
Windows 10, 11 & Server
- Windows 11 & Windows 10Windows 2000, XP, Vista, 7, Windows 8 and more How Tos
- Windows Serverwindows 2003, 2008, R2 how tos
Office 365 & Azure
- 25 User FREE Office 365 Trial
- Office365 & Azure HelpHelp with Office 365 Issues
IT Business News
YouTube Channel
Contact
- Discount Hosting
- On Site SupportHARDWARE & SOFTWARE We have found that most customers are tired of the excuses from ICT vendors… “… it’s the softwares fault” “…it’s Dell’s fault”. Fault is not important when you are having problems… getting it fixed is. We typically take end to end responsibily for anything that plugs into the wall, from desktops and laptops, to photocopiers and phone systems… it’s all our problem. Server hardware Server Software (like Exchange, Server 2008, Print Sharing, Sharepoint, Dynamics…) Desktops (from any vendor, IBM/Lenovo, Dell, Toshiba, White box…) Laptops Switches and Firewalls (from any vendor, like Dlink, Cisco, Linksys, FortiNet, Netgear…) Uninteruptable Power Supplies (UPS) network, phone and electrical cabling land line systems (like Nortel, Avaya and Toshiba) photocopiers (like Xerox, Kyocera, Mita, Canon, Toshiba…) cell phones Blackberry’s Blackberry Enterprise Server and even the Apple Mac’s… we handle it all CONTRACT MANAGEMENT & NEGOTIATIONS Many companies simply take the “rack rate” on their purchases and leases. We are skilled and experienced at managing and renegotiating all sorts of contracts. Cell contracts will Telus, Bell, Rogers… are often Service contracts with photocopy companies Land Line contracts with Bell, Telus, Rogers, All-stream Evergreen renewals and sooo much more We can reduce your costs and increase…
- Computer Recycling
- Hardware & SoftwareNEW HARDWARE & SOFTWARE We sell and support all of the ‘Tier 1′ and ‘Tier 2′ brands. Toshiba, HP, Dell, Samsung, Logitech, Lenovo, Intel, AMD, Colubris, AOC, Kingston, Microsoft, Symantec, Kaspersky, McAfee and on and on… HARDWARE REPAIR AND UPGRADE We will support, repair, and upgrade hardware from any brand or manufacturer. From Dell to Toshiba, to Lenovo/IBM we service it all. Up & Running will also perform a security wipe and dispose of your old hardware, networking equipment and software to all firms in the Calgary Region. DATA RECOVERY Our qualified technicians provide full data recovery from failed or deleted hard drives and memory sticks for anyone in Southern Alberta.
- Privacy Policy
Search for:

Yesterday we were troubleshooting an error we found in our server monitoring tools that uses WMI queries to detect problems. It was reporting:

File Server Errors LogonThe host {Server} is now in state warn as it has 1.2067 logon errors per second. This could indicate a password cracking attempt.

logicmonitor wmi query for logon errors

The problem is that servers Event Viewer logged no log on issues. After some research we found that our monitoring tool (Logic Monitor) was using this WMI Query:

SELECT * FROM Win32_PerfRawData_PerfNet_Server

and was specifically reporting on the ERRORSLOGON counter. That word COUNTER is the key. WMI was not recording details like, which user or which machine the errors were coming from; WMI was just counting the failures.

We decided to run a few queries of our own to get more details:

wmi query for failed logons logon errors per second. This could indicate a password cracking attempt

Launch a PowerShell as an Admin
Type get-wmiobject and press ENTER
Type Win32_PerfRawData_PerfNet_Server and press ENTER

We noticed the SERVERSESSIONS and decided to check if any other admins were logged into this server. We launched TASK MANAGER and found 7 other admins have left themselves logged in but were now DISCONNECTED. I right clicked on each one of them and selected LOGOFF. Within a minute, Logic Monitor stopped reporting the failed logon attempts.

My guess is that someones account expired or they changed their AD password on a different machine but were still logged in on this machine. Remember that just because an RDP session is DISCONNECTED does NOT mean that the connections and apps they launched previously are not still running and could cause this very problem.

Categories: Windows Server

0 Comments

Leave a Reply Cancel reply