The logs
rolled for the security logs. this would tell us exactly what you would
get when you are trying to log in. The errors you were getting that you
sent were exactly what I would expect for those logons.
This error is due to you
disabling cached logons. So its expected.
Log Name: System
Source: LsaSrv
Date: 1/7/2016 12:36:07 PM
Event ID: 45056
Task Category: Logon Cache
Level: Warning
Keywords: Classic
User: N/A
Computer: xxxxxxxxxxxxxxx
Description:
Logon cache was disabled. Intermittent
authentication failures may result during periods of network latency or
interrupts. Please contact your system administrator.
2.
The other
error is due to someone typing in a bad password.
Log Name: Security
Source:
Microsoft-Windows-Security-Auditing
Date:
1/7/2016 12:28:19 PM
Event ID: 4625
Task Category: Logon
Level:
Information
Keywords: Audit Failure
User: N/A
Computer: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Description:
An account failed to log on.
Subject:
Security
ID: SYSTEM
Account
Name: xxxxxxxxxxxxxxxxxxxx
Account
Domain: xxxxxxxxxxxxxxxxxxxxx
Logon
ID:
0x3e7
Logon
Type:
2
Account For Which Logon Failed:
Security
ID: NULL SID
Account
Name: xxxxxxxxxxxxxx
Account
Domain: xxxxxxxxxxxxxxxxxx
Failure Information:
Failure
Reason: Unknown user name or
bad password.
Status:
0xc000006d
Sub
Status:
0xc000006a
3.
The patches you
mentioned no one of them are what I would say authentication bits. So I
would not expect any changes to the authentication piece.
1.Cumulative
Security Update for Internet Explorer 11 for Windows Server 2008 R2 for
x64-based Systems (KB3104002)
2.Security
Update for Windows Server 2008 R2 x64 Edition (KB3109094)
3.Update
for Windows Server 2008 R2 x64 Edition (KB3112343)
4.Security
Update for Windows Server 2008 R2 x64 Edition (KB3108371)
5.Security
Update for Windows Server 2008 R2 x64 Edition (KB3109103)
6.Security
Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008
R2 SP1 for x64-based Systems (KB3099862)
7.Security
Update for Windows Server 2008 R2 x64 Edition (KB3108381)
8.Security
Update for Windows Server 2008 R2 x64 Edition (KB3108670)
9.Security
Update for Microsoft Silverlight (KB3106614)
4.
You are missing the
enterprise client rollup should be on all windows 7 and 2008 r2 machine in
enterprise.
This
rollup is like a service pack for 2008 r2. This updates everything on the
box to improve network performance, os performance and overall stability.
This
update is available from the Microsoft Update Catalog. Type 2775511 in the
search field that is located in the upper-right corner of the catalog
webpage.
regression
patches that must be installed with 2775511. Please ignore the error
descriptions. There are many symptoms to the regressions and its an
update to an important redirector.
##################################
I did a little more research and
found the following case information very informative. Based on the below
information, I do not think we need to engage the setup core team at this
point.
I found something
interesting. If you notice the only services dying with access denied is
one service. (shown in red) I missed it the first time I looked at logs
since it was marked as informational and I had filtered the
informational. So the McAfee Service Controller is getting access
denied. Below in red is where we are failing. I included all the
other services successfully starting. IT appears to me the filter driver
is from mcafee. So I did some more digging into case histories and found
that there are other cases where customers after installing certain patches
they start getting this error. All of them describe Random Access
Denied. If they disable the Macfee services, the issue goes away as
well. You still probly require a reboot.
1/7/2016
|
7:37:01 AM
|
Information
|
VM1057402.WEREXTERNAL.EXT
|
6
|
McAfee Service
Controller
|
N/A
|
N/A
|
The mfevtp MMS
Service failed to start due to the following error. Access is denied. .
|
The internal document gives this
as the solution. They also said that it happens on windows 7 and 2008 r2
boxes across the enterprise. PLEASE NOTE: The step below is for a third party product and Microsoft
cannot tell you to delete this file. I am providing this because this was
documented in a case. I am assuming it may have come from MacAfee however
its not documented that it was a solution from them. So use at your
own risk.
1)
Reboot into safe mode with networking
2)
Logon with an administrative account (our normal domain accounts are fine)
3)
Delete C:\Program Files\Common Files\McAfee\SystemCore\extraDREP.rul
4)
Reboot
My recommendation is to engage the vendor knows
about the issue and make sure this is a supported resolution. They might
even have an update for their software if they know its an issue. If they
are unaware they may need to debug the issue.
Sample of services loading after
a reboot.
1/7/2016
|
7:36:39 AM
|
Information
|
xxxxxxxx |
6009
|
EventLog
|
N/A
|
N/A
|
Microsoft (R) Windows (R) 6.01.
7601 Service Pack 1 Multiprocessor Free.
|
1/7/2016
|
7:36:39 AM
|
Information
|
xxxxxxxx |
6005
|
EventLog
|
N/A
|
N/A
|
The Event log service was
started.
|
|
|
1/7/2016
|
7:36:39 AM
|
Information
|
xxxxxxxx |
6013
|
EventLog
|
N/A
|
N/A
|
The system uptime is 39 seconds.
|
|
|
1/7/2016
|
7:35:42 AM
|
Information
|
xxxxxxxx |
109
|
Microsoft-Windows-Kernel-Power
|
N/A
|
N/A
|
The kernel power manager has
initiated a shutdown transition.
|
1/7/2016
|
7:35:43 AM
|
Information
|
xxxxxxxx |
13
|
Microsoft-Windows-Kernel-General
|
N/A
|
N/A
|
The operating system is shutting
down at system time ?2016?-?01?-?07T06:35:43.248774000Z.
|
1/7/2016
|
7:36:00 AM
|
Information
|
xxxxxxxx |
12
|
Microsoft-Windows-Kernel-General
|
N/A
|
NT AUTHORITY\SYSTEM
|
The operating system started at
system time ?2016?-?01?-?07T06:36:00.125599300Z.
|
|
|
|
|
|
|
N/A
|
N/A
|
VMCI: Using capabilities (0xc).
|
|
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
File System Filter 'mfehidk'
(0.0, ?2015?-?06?-?27T00:10:48.000000000Z) has successfully loaded and
registered with Filter Manager.
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
Processor 0 in group 0 exposes
the following: 1 idle state(s) 0 performance state(s) 8 throttle state(s)
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
Processor 3 in group 0 exposes
the following: 1 idle state(s) 0 performance state(s) 8 throttle state(s)
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
Processor 2 in group 0 exposes
the following: 1 idle state(s) 0 performance state(s) 8 throttle state(s)
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
Processor 1 in group 0 exposes
the following: 1 idle state(s) 0 performance state(s) 8 throttle state(s)
|
|
|
|
|
|
|
N/A
|
N/A
|
The Plug and Play service
entered the running state.
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
One or more of the Plug and Play
service's subsystems has changed state. PlugPlay install subsystem
enabled: 'true' PlugPlay caching subsystem enabled: 'true'
|
|
|
|
|
|
|
N/A
|
N/A
|
The Power service entered the
running state.
|
|
|
|
|
|
|
|
N/A
|
NT AUTHORITY\SYSTEM
|
File System Filter 'luafv' (6.1,
?2009?-?07?-?14T00:26:13.000000000Z) has successfully loaded and registered
with Filter Manager.
|
|
|
|
|
|
|
N/A
|
N/A
|
The DCOM Server Process Launcher
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The RPC Endpoint Mapper service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Remote Procedure Call (RPC)
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Windows Event Log service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Group Policy Client service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The User Profile Service service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The COM+ Event System service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The System Event Notification
Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Desktop Window Manager
Session Manager service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Network Store Interface
Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The TCP/IP NetBIOS Helper
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The DNS Client service entered
the running state.
|
|
|
|
|
|
|
|
Service State Event
|
NT AUTHORITY\LOCAL SERVICE
|
DHCPv4 client service is started
|
|
|
|
|
|
|
|
|
Service State Event
|
NT AUTHORITY\LOCAL SERVICE
|
DHCPv6 client service is started
|
|
|
|
|
|
|
|
|
N/A
|
N/A
|
The DHCP Client service entered
the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Shell Hardware Detection
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Task Scheduler service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Windows Font Cache Service
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Base Filtering Engine
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Workstation service entered
the running state.
|
1/7/2016
|
7:36:46 AM
|
Warning
|
xxxxxxxx
|
45056
|
LsaSrv
|
Logon Cache
|
N/A
|
Logon cache was disabled.
Intermittent authentication failures may result during periods of network
latency or interrupts. Please contact your system administrator.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Netlogon service entered the
running state.
|
|
|
|
|
|
|
|
N/A
|
N/A
|
The Security Accounts Manager
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Cryptographic Services
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The PA DSI Service service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Application Host Helper
Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The IKE and AuthIP IPsec Keying
Modules service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The McAfee Agent Common Services
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The McAfee Agent Service service
entered the running state.
|
1/7/2016
|
7:37:01 AM
|
Information
|
xxxxxxxx |
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
|
|
|
|
|
|
N/A
|
N/A
|
The McAfee Service Controller
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The McAfee Validation Trust
Protection Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The McAfee Validation Trust
Protection Service service entered the stopped state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The PA Measurement Interface
service entered the running state.
|
1/7/2016
|
7:37:01 AM
|
Information
|
xxxxxxxx |
7036
|
Service Control Manager
|
N/A
|
N/A
|
The McAfee Task Manager service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The PA Extended Collector
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Network Location Awareness
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Opsware Agent service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The PA Alarm Generator service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Remote Registry service
entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Real Time Metric Access
Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The SNMP Service service entered
the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The PA Transaction Manager
service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The SNMP Service has started
successfully.
|
|
1/7/2016
|
7:37:06 AM
|
Information
|
xxxxxxxx |
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
1/7/2016
|
7:37:06 AM
|
Information
|
xxxxxxxx |
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
|
|
|
|
|
|
N/A
|
N/A
|
The VMware Tools service entered
the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Windows Management
Instrumentation service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The Windows Process Activation
Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The McAfee McShield service
entered the running state.
|
1/7/2016
|
7:37:07 AM
|
Information
|
xxxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
|
|
|
|
|
|
N/A
|
N/A
|
The World Wide Web Publishing
Service service entered the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The PA Collector service entered
the running state.
|
|
|
|
|
|
|
N/A
|
N/A
|
The IP Helper service entered
the running state.
|
|
|
|
|
|
|
|
N/A
|
N/A
|
The Server service entered the
running state.
|
|
1/7/2016
|
7:37:21 AM
|
Information
|
xxxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
1/7/2016
|
7:37:21 AM
|
Information
|
xxxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
1/7/2016
|
7:37:21 AM
|
Information
|
xxxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
1/7/2016
|
7:37:21 AM
|
Information
|
xxxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
1/7/2016
|
7:37:21 AM
|
Information
|
xxxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
1/7/2016
|
7:37:22 AM
|
Information
|
xxxxxxx
|
6
|
McAfee Service Controller
|
N/A
|
N/A
|
The mfevtp MMS Service failed to
start due to the following error. Access is denied. .
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
1)
Reboot into safe mode with networking
2)
Logon with an administrative account (our normal domain accounts are fine)
3)
Delete C:\Program Files\Common Files\McAfee\SystemCore\extraDREP.rul
4)
Reboot
1.
missing the
enterprise client rollup should be on all windows 7 and 2008 r2 machine in
enterprise.
This
rollup is like a service pack for 2008 r2. This updates everything on the
box to improve network performance, os performance and overall stability.
This
update is available from the Microsoft Update Catalog. Type 2775511 in the
search field that is located in the upper-right corner of the catalog
webpage.
regression
patches that must be installed with 2775511. Please ignore the error
descriptions. There are many symptoms to the regressions and its an
update to an important redirector.
