Why does my account keeps getting locked? What does the log Event 4648 means?

2

I have this problem I just cant seem to find the source. My AD account keeps getting locked. Using lockout status and looking at the netlogon log i figured out which PC it is. I know which process is locking me: spoolsv.exe. Spoolsv.exe is running as system not as me but I get this log entry.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/28/2014 9:45:01 AM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      computer.MYDOMAIN.NET
Description:
A logon was attempted using explicit credentials.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x79F5
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
    Account Name:       accountbeinglocked@mydomain.net
    Account Domain:     
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Target Server:
    Target Server Name: FILESERVER.MYDOMAIN.NET
    Additional Information: FILESERVER.MYDOMAIN.NET

Process Information:
    Process ID:     0x544
    Process Name:       C:\Windows\System32\spoolsv.exe

Network Information:
    Network Address:    -
    Port:           -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4648</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-28T13:45:01.502850800Z" />
    <EventRecordID>308669</EventRecordID>
    <Correlation />
    <Execution ProcessID="784" ThreadID="5280" />
    <Channel>Security</Channel>
    <Computer>computer.MYDOMAIN.NET</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x79f5</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TargetUserName">accountbeinglocked@mydomain.net</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TargetServerName">FILESERVER.MYDOMAIN.NET</Data>
    <Data Name="TargetInfo">FILESERVER.MYDOMAIN.NET</Data>
    <Data Name="ProcessId">0x544</Data>
    <Data Name="ProcessName">C:\Windows\System32\spoolsv.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

I have no idea at all how to fix this. Thanks for any help you can give me.

Benoit Bourgault

Posted 2014-03-28T15:13:39.843

Reputation: 51

1Are you logged into "computer.MYDOMAIN.NET" when this happens? Any services on the computer set to login using the "accountbeinglocked@mydomain.net"? Have you scanned for Malware yet? – Ƭᴇcʜιᴇ007 – 2014-03-28T15:29:17.453

No I'm not, someone else is logged in as another AD user, no services set to login as user "accountbeingblocked@mydomain.net". Yes i did scan for malware. with multiple scanner and even using a boot disk to check for rootkit. The printer spooler is started as SERVICE. – Benoit Bourgault – 2014-03-28T16:34:40.220

4648 A logon was attempted using explicit credentials. See here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648 This event is logged anytime an auth request is made using credentials that are different from the login used on the local machine.

– MaQleod – 2014-03-28T16:37:32.663

I found that information too, my question is why is spoolsv.exe using those credentials. And how do i tell it not to use them anymore? – Benoit Bourgault – 2014-03-28T16:38:49.133

2That is the print spooler. If you've printed using your AD credentials (say to a network printer on the domain), then spoolsv.exe will be using those credentials in order to complete your print request. – MaQleod – 2014-03-28T16:42:16.770

This is a possibility I sometime sit at a user desk and use my credential to access other network ressource and will enter my credential. How do I stop the print spooler from using my credential anymore? I tried everything I could think of. Disconnected share removed all shared printer. And if those printer are not used I dont get locked but the user needs those printer share how do i make sure when I add those printer back it is not using my credential? – Benoit Bourgault – 2014-03-28T16:49:57.063

I suspect it is an e.g. HP or Brother driver/service attempting to do {magic} like upsell ink or connect to so-called cloud printing etc. – horatio – 2014-03-28T19:50:42.460

Worth a try: Remove all mapped network shares, relog into the PC, then map them again. – daraos – 2014-03-28T19:33:21.890

Done All That did not work – Benoit Bourgault – 2014-03-28T20:43:44.967

Answers

1

This is commonly from cached credentials used to access a network resource (as noted in comments)

You can remove the authenticated credentials from:

Control Panel\All Control Panel Items\User Accounts

click the username 1.To the left you will see Manage your credentials. From that select the share/resource name and remove

You will need to find any and all systems that use the credentials.

Dave M

Posted 2014-03-28T15:13:39.843

Reputation: 12 811

I have already emptied mine and the user that locks me Credential Vault Doesnt fix the problem – Benoit Bourgault – 2014-03-28T18:15:25.890

How do I do that. And as you have seen from the event error i know that spoolsv.exe is contacting the fileserver with my credential. but how why it calls it using my credential? – Benoit Bourgault – 2014-03-28T19:37:47.573

Have you cleared it from all possible workstations? It would likely be a shared printer you accessed from a computer other than your usual one. Any chance you run a virtual machine somewhere? Have seen a copied VM cause this – Dave M – 2014-03-28T20:15:01.930

I was able to really identify that station as the problem by correlating my lockout with printing something or even just looking at printer properties. I dont get lock if that PC is not running. There is no VM on any PC here and I run some but they were all shut down. The fix will be to reinstall everything on that PC that should fix it but i'd rather figure out what is happening. – Benoit Bourgault – 2014-03-28T20:42:21.487

1

Try

psexec -i -s -d cmd
cmdkey /list

This shows if system account has any credentials stored, remove them with cmdkey /delete:target

e.g.

cmdkey /delete:192.168.1.2

jari

Posted 2014-03-28T15:13:39.843

Reputation: 21

This is a great command. I did not know about it. Unfortunately it did not fix my issue and only replicate what you see by looking in the Credential Vault. – Benoit Bourgault – 2015-01-30T15:29:11.167

Asked: 2014-03-28T15:13:39.843

Viewed: 15 114 times

Active: 2015-06-12T14:59:58.883