Monitoring NetLogon Logs

From FIA Wiki
Jump to: navigation, search

First, open up command prompt as an administrator and execute the following command:

nltest /dbflag:0x2080ffff

Once done, execute the following command to turn off the debugging:

nltest /dbflag:0x0

This logs every transaction made to the file: %windir%\debug\netlogon.log (note, you need to run notepad as an administrator to read this file).

Open File in Baretail and enable Highlighting for the following codes

0xc000006a – An invalid attempt to login has been made by the following user.

0xc0000234 – The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.