Windows-7

試圖追踪 SVCHOST.exe 正在使用的使用者帳戶

  • August 19, 2016

我在我的環境中遇到問題,我的幾乎所有 Windows 7 系統(絕大多數基礎設施)都試圖登錄到一個舊的禁用帳戶。我知道這是來自以前的系統管理員,他將此帳戶用於某些服務,我只是無法弄清楚它的設置位置。

我知道該程序在 SVCHOST.exe 下執行,我有理由確定它是執行以下其他任務的程序。

AeLookpSvc
BITS
Browser
CertPropSvc
IKEEXT
iphlpsvc
LanmanServer
ProfSvc
Schedule
SENS
SessionEnv
ShellHWDetection
Themes
Winmgmt
wuauserv

我認為它可能是舊 WUSS 伺服器的殘餘物,但該伺服器已退役並退役,所以我無法查看那裡。我不知道 SVCHOST 下的哪個子程序/服務正在嘗試這些憑據,sec 日誌非常模糊。我已經對受影響機器上的系統資料庫進行了全面搜尋,並通過機器上的 rsop 尋找對該帳戶的任何引用,但我找不到任何東西。

An account failed to log on.

Subject:
   Security ID:        SYSTEM
   Account Name:       [ComputerName]$
   Account Domain:     [Domain]
   Logon ID:       0x3e7

Logon Type:         2

Account For Which Logon Failed:
   Security ID:        NULL SID
   Account Name:       [UserAccount]
   Account Domain:     [Domain]

Failure Information:
   Failure Reason:     Account currently disabled.
   Status:         0xc000006e
   Sub Status:     0xc0000072

Process Information:
   Caller Process ID:  0x304
   Caller Process Name:    C:\Windows\System32\svchost.exe

Network Information:
   Workstation Name:   [ComputerName]
   Source Network Address: -
   Source Port:        -

Detailed Authentication Information:
   Logon Process:      Advapi  
   Authentication Package: Negotiate
   Transited Services: -
   Package Name (NTLM only):   -
   Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

這些服務都不需要使用顯式憑據。“計劃”服務是任務計劃程序。您可以使用以下命令檢查計劃任務。

schtasks /query /XML > File.txt  

然後在 File.txt 中搜尋帳戶/委託人。

為什麼不檢查這些服務的“登錄”選項卡?我認為這是其中任何一個。

當您搜尋該使用者名時,您是否在安全日誌中發現任何事件?

引用自:https://serverfault.com/questions/797690