You may also see invalid logon events in the security log that resemble the following:
Audit Failure 3/30/2010 5:45:10 PM Microsoft Windows security auditing. 4625 Logon
An account failed to log on.
Subject:
Security ID: IIS APPPOOL\DefaultAppPool
Account Name: DefaultAppPool
Account Domain: IIS APPPOOL
Logon ID: 0x233a07c
Account Name: DefaultAppPool
Account Domain: IIS APPPOOL
Logon ID: 0x233a07c
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL
SID Account Name: extest_3844154d03764
Account Domain: <domain>
Failure Information: SID Account Name: extest_3844154d03764
Account Domain: <domain>
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information: Status: 0xc000006d
Sub Status: 0xc000006a
Caller Process ID: 0x12cc
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information: Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Workstation Name: 190319-HUB1
Source Network Address: fe80::dcf0:3733:ee84:5825
Source Port: 49150
Detailed Authentication Information: Source Network Address: fe80::dcf0:3733:ee84:5825
Source Port: 49150
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0