locked
Event Viewer NOT showing logon with bad password RRS feed

  • Question

  • I have always had the event viewer show me if someone tried to logon with a bad password (my boyfriend spying on me) it also showed if you logon "success". I got a new PC with Vista and recently went to see how often he's been trying to logon to my computer again as he was yelling at me about changing my password when I had not, BUT the event viewer never shows bad logons. I tried myself to put in a bad password a bunch of times, it only shows success attempts. I do have it set to show me everything. He said he didn't do anything in the registry or otherwise to mess with it, but then why on this computer doesn't it work? I hadn't noticed until now and I've had this PC for at least 6 months. Plus he's a developer and knows way more than I do about any computer. Can I fix this myself? By the way I don't CARE if he's in my computer! I care that he comes over here when I am not home to snoop around my apt because he is paranoid, and that REALLY creeps me out. Seeing how often he tries to get into my PC tells me how often he's been snooping!

    Tuesday, October 11, 2011 10:49 PM

Answers

  • My previous post won't work on Vista.
     
    Download PSTools
    http://technet.microsoft.com/en-us/sysinternals/bb897553
     
    Double click the zip file. Extract psexec to the desktop.
     
    Click Start - All Programs - Accessories - right click Command Prompt and
    choose Run As Administrator.
     
    Type in the command prompt
     
    "%userprofile%\desktop\psexec" -i -s regedit.exe
     
    Leave the regedit window open.
     
    Start notepad (Click Start - All Programs - Accessories - notepad) and copy
    the below lines into notepad. Be careful of line wrapping. Lines end with a
    \ except the first three non blank lines.
     
    Windows Registry Editor Version 5.00
     
    [HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv]
    @=hex(0):00,01,00,00,09,00,41,00,72,00,00,00,01,00,00,00,03,00,00,00,03,00,03,\
    00,03,00,03,00,03,00,03,00,03,00,03,00,03,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,01,00,01,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,00,08,00,0b,00,03,00,04,\
    00,06,00,06,00,04,00,03,00
     
    DON'T COPY THIS LINE
     
    Save the file (File menu - Save As) using the name "Audit Logon On.Reg" .
    The quotation marks are typed as part of the name (though they won't
    actually become part of the filename).
     
    Hold down shift and right click the file and choose Copy As Path.
     
    Switch back to regedit. Filemenu - Import and right click the filename
    textbox and choose paste and click ok.
     
    Reboot
     
    Does it now work?
     
    --
    ..
    --
    "DavidMCandy" wrote in message news:2999a320-2e41-48ad-8779-4cc0cacfa06b...
    > Do you think you can follow this procedure
    > http://www.windowsitpro.com/article/tips/jsi-tip-5231-how-do-i-determine-the-windows-2000-audit-policy-using-the-registry-
    > --
    > ..
    > --
    > "DavidMCandy" wrote in message
    > news:2a69de67-7453-4066-a9e9-484b219f00cb...
    >> Maybe Vista home doesn't have the Local Security Policy editor. To check
    >> click Start - All Programs - Accessories - Run (or press Winkey + R) and
    >> type
    >>
    >> secpol.msc
    >>
    >> --
    >> ..
    >> --
    >> "annonamous548" wrote in message
    >> news:0114ff38-1dec-4260-9d75-1599e7de7ec8...
    >>> when i click on administrative tools all that i see is
    >>>
    >>> comp mangmnt
    >>>
    >>> data sources
    >>>
    >>> evt viewer
    >>>
    >>> iscsi initiator
    >>>
    >>> memory diag
    >>>
    >>> MS net frame
    >>>
    >>> Reliability and Perform
    >>>
    >>> Services
    >>>
    >>> Sysytem Config
    >>>
    >>> Task scheduler
    >>>
    >>> Windows Firewall
    >>>
    >>
    >>
    >
    >
     
     
    Friday, October 14, 2011 11:51 AM

All replies

  • You have to turn the feature on.
     
    Click Start - Control Panel - choose Classic View in left hand pane - choose
    Administrative Tools in the right hand pane - then Local Security Policy.
    Expand - Security Settings - Local Policies - Audit Policy and double click
    Audit Account Logon in the right hand pane. Tick Failure then Ok and restart
    the computer.
    --
    ..
    --
    "annonamous548" wrote in message
    news:816015b2-4357-427e-b702-4eecc5cacdbf...
    >I have always had the event viewer show me if someone tried to logon with a
    >bad password (my boyfriend spying on me) it also showed if you logon
    >"success". I got a new PC with Vista and recently went to see how often
    >he's been trying to logon to my computer again as he was yelling at me
    >about changing my password when I had not, BUT the event viewer never shows
    >bad logons. I tried myself to put in a bad password a bunch of times, it
    >only shows success attempts. I do have it set to show me everything. He
    >said he didn't do anything in the registry or otherwise to mess with it,
    >but then why on this computer doesn't it work? I hadn't noticed until now
    >and I've had this PC for at least 6 months. Plus he's a developer and knows
    >way more than I do about any computer. Can I fix this myself? By the way I
    >don't CARE if he's in my computer! I care that he comes over here when I am
    >not home to snoop around my apt because he is paranoid, and that REALLY
    >creeps me out. Seeing how often he tries to get into my PC tells me how
    >often he's been snooping!
    >
     
     
    Wednesday, October 12, 2011 9:56 AM
  • And dump your boyfriend.
     
    --
    ..
    --
    "DavidMCandy" wrote in message news:4f314cf4-a4fd-43b6-b714-edb2f5ea65c2...
    > You have to turn the feature on.
    >
    > Click Start - Control Panel - choose Classic View in left hand pane -
    > choose
    > Administrative Tools in the right hand pane - then Local Security Policy.
    > Expand - Security Settings - Local Policies - Audit Policy and double
    > click
    > Audit Account Logon in the right hand pane. Tick Failure then Ok and
    > restart
    > the computer.
    > --
    > ..
    > --
    > "annonamous548" wrote in message
    > news:816015b2-4357-427e-b702-4eecc5cacdbf...
    >>I have always had the event viewer show me if someone tried to logon with
    >>a
    >>bad password (my boyfriend spying on me) it also showed if you logon
    >>"success". I got a new PC with Vista and recently went to see how often
    >>he's been trying to logon to my computer again as he was yelling at me
    >>about changing my password when I had not, BUT the event viewer never
    >>shows
    >>bad logons. I tried myself to put in a bad password a bunch of times, it
    >>only shows success attempts. I do have it set to show me everything. He
    >>said he didn't do anything in the registry or otherwise to mess with it,
    >>but then why on this computer doesn't it work? I hadn't noticed until now
    >>and I've had this PC for at least 6 months. Plus he's a developer and
    >>knows
    >>way more than I do about any computer. Can I fix this myself? By the way I
    >>don't CARE if he's in my computer! I care that he comes over here when I
    >>am
    >>not home to snoop around my apt because he is paranoid, and that REALLY
    >>creeps me out. Seeing how often he tries to get into my PC tells me how
    >>often he's been snooping!
    >>
    >
    >
     
     
    Wednesday, October 12, 2011 10:06 AM
  • when i click on administrative tools all that i see is

    comp mangmnt

    data sources

    evt viewer

    iscsi initiator

    memory diag

    MS net frame

    Reliability and Perform

    Services

    Sysytem Config

    Task scheduler

    Windows Firewall

    Thursday, October 13, 2011 11:10 PM
  • Maybe Vista home doesn't have the Local Security Policy editor. To check
    click Start - All Programs - Accessories - Run (or press Winkey + R) and
    type
     
    secpol.msc
     
    --
    ..
    --
    "annonamous548" wrote in message
    news:0114ff38-1dec-4260-9d75-1599e7de7ec8...
    > when i click on administrative tools all that i see is
    >
    > comp mangmnt
    >
    > data sources
    >
    > evt viewer
    >
    > iscsi initiator
    >
    > memory diag
    >
    > MS net frame
    >
    > Reliability and Perform
    >
    > Services
    >
    > Sysytem Config
    >
    > Task scheduler
    >
    > Windows Firewall
    >
     
     
    Friday, October 14, 2011 9:48 AM
  • Do you think you can follow this procedure
    http://www.windowsitpro.com/article/tips/jsi-tip-5231-how-do-i-determine-the-windows-2000-audit-policy-using-the-registry-
    --
    ..
    --
    "DavidMCandy" wrote in message news:2a69de67-7453-4066-a9e9-484b219f00cb...
    > Maybe Vista home doesn't have the Local Security Policy editor. To check
    > click Start - All Programs - Accessories - Run (or press Winkey + R) and
    > type
    >
    > secpol.msc
    >
    > --
    > ..
    > --
    > "annonamous548" wrote in message
    > news:0114ff38-1dec-4260-9d75-1599e7de7ec8...
    >> when i click on administrative tools all that i see is
    >>
    >> comp mangmnt
    >>
    >> data sources
    >>
    >> evt viewer
    >>
    >> iscsi initiator
    >>
    >> memory diag
    >>
    >> MS net frame
    >>
    >> Reliability and Perform
    >>
    >> Services
    >>
    >> Sysytem Config
    >>
    >> Task scheduler
    >>
    >> Windows Firewall
    >>
    >
    >
     
     
    Friday, October 14, 2011 11:10 AM
  • My previous post won't work on Vista.
     
    Download PSTools
    http://technet.microsoft.com/en-us/sysinternals/bb897553
     
    Double click the zip file. Extract psexec to the desktop.
     
    Click Start - All Programs - Accessories - right click Command Prompt and
    choose Run As Administrator.
     
    Type in the command prompt
     
    "%userprofile%\desktop\psexec" -i -s regedit.exe
     
    Leave the regedit window open.
     
    Start notepad (Click Start - All Programs - Accessories - notepad) and copy
    the below lines into notepad. Be careful of line wrapping. Lines end with a
    \ except the first three non blank lines.
     
    Windows Registry Editor Version 5.00
     
    [HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv]
    @=hex(0):00,01,00,00,09,00,41,00,72,00,00,00,01,00,00,00,03,00,00,00,03,00,03,\
    00,03,00,03,00,03,00,03,00,03,00,03,00,03,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,01,00,01,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,00,08,00,0b,00,03,00,04,\
    00,06,00,06,00,04,00,03,00
     
    DON'T COPY THIS LINE
     
    Save the file (File menu - Save As) using the name "Audit Logon On.Reg" .
    The quotation marks are typed as part of the name (though they won't
    actually become part of the filename).
     
    Hold down shift and right click the file and choose Copy As Path.
     
    Switch back to regedit. Filemenu - Import and right click the filename
    textbox and choose paste and click ok.
     
    Reboot
     
    Does it now work?
     
    --
    ..
    --
    "DavidMCandy" wrote in message news:2999a320-2e41-48ad-8779-4cc0cacfa06b...
    > Do you think you can follow this procedure
    > http://www.windowsitpro.com/article/tips/jsi-tip-5231-how-do-i-determine-the-windows-2000-audit-policy-using-the-registry-
    > --
    > ..
    > --
    > "DavidMCandy" wrote in message
    > news:2a69de67-7453-4066-a9e9-484b219f00cb...
    >> Maybe Vista home doesn't have the Local Security Policy editor. To check
    >> click Start - All Programs - Accessories - Run (or press Winkey + R) and
    >> type
    >>
    >> secpol.msc
    >>
    >> --
    >> ..
    >> --
    >> "annonamous548" wrote in message
    >> news:0114ff38-1dec-4260-9d75-1599e7de7ec8...
    >>> when i click on administrative tools all that i see is
    >>>
    >>> comp mangmnt
    >>>
    >>> data sources
    >>>
    >>> evt viewer
    >>>
    >>> iscsi initiator
    >>>
    >>> memory diag
    >>>
    >>> MS net frame
    >>>
    >>> Reliability and Perform
    >>>
    >>> Services
    >>>
    >>> Sysytem Config
    >>>
    >>> Task scheduler
    >>>
    >>> Windows Firewall
    >>>
    >>
    >>
    >
    >
     
     
    Friday, October 14, 2011 11:51 AM