Track Account Lockouts Using the Checked Netlogon.dll


Large numbers of failed logins due to bad passwords is a red flag for intrustion
detection. If you need to generate more detailed data to track bad password
attempts to Windows NT domains, install the checked build of Netlogon.dll on the PDC. This will create %systemroot%\debug\Netlogon.log which will capture more
information on the bad password attempts. You will need to obtain the checked
version of Netlogon.dll from Microsoft support or its
on the Microsoft DDK. To start generating the log:


  • stop netlogon service on PDC
  • rename original netlogon.dll to
    netlogon.dll.original
  • copy checked version of netlogon.dll to system32
    directory
  • set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
    to 0x20000004.
  • start netlogon service on PDC

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top