none
Need help in identifying rogue processes / service accounts with tracing RRS feed

  • Question

  • Hello All,

    Thanks in advance for your help. I could really use some more insight on how to fix this problem.

    Problem: I have a server that is experiencing numerous failed logins by a particular service account. I have reached out to the owner of this service account but he has changed the password for the service account yet I am still receiving the failed logins on a daily basis. I need to find a way to identify which script or scheduled task is actually attempting these automated login attempts. The event log doesn't provide enough information, at best only the process that is calling it, such as sqlsvc.exe but not the initiator.

    I have previously suggested increasing the logging level to see if we could identify more information but that proved unfruitful.

    My next idea is to enable tracing to see if we can get more information on those particular service accounts but I don't know how to limit my tracing to a particular service account. (so I won't adversely affect the performance of this production server unnecessarily).

    Is this possible? Is there a more efficient way to accomplish my investigation? if so, please advise.

    Can any of you help me with finding a solution to this problem?

    I would greatly appreciate any expertise and advise you could provide.

    Thanks,

    Don

    Tuesday, September 30, 2014 12:49 PM

Answers