KBI 311319 Failed Logon Audit Events On Remote Machine When Running Performance Rules Using Other Credential


Argent Advanced Technology all versions


Friday, 24 April 2015


Argent AT has to use other credential to monitor a remote machine if either of following is true:

  • Machine is not in the same domain as Argent AT Engine

    For example, it is in a workgroup in DMZ

  • Argent AT service account has insufficient privileges to run Rules

    For example, the service account is not a local Administrator

When running a Performance Rule with Use Other Credentials, the performance metrics can be retrieved successfully

However, if audit for failed logon is turned ON in local audit policy at the remote machine, the failed logon Audit Event will show up in the Security Log every time the Performance Rule is executed

Technical Background

Argent AT uses the Microsoft PDH (Performance Data Helper) library to read Windows performance metrics

The PDH API always first tries the current logon identity, which is the Argent AT service account, before using specified other credential

As a result, the failed Logon Audit Event is generated

PDH library is part of Windows OS

The behavior may change in future Windows OS versions

It is more a nuisance than an issue

The point that must be emphasized is that it does not affect the performance data being monitored correctly


The failed Logon Audit Event can be avoided if the logon failure audit is turned OFF in local security policy

Of course, it is more about hiding the issue instead of solving it

If security audit must be turned ON and the failed logon Events must be prevented at all cost, local Trusted Agent can be installed to run the Performance Rules

Because local Trusted Agent runs under local administrator account, it will be able to access the Performance counters

In this case, the ‘Other Credential’ is no longer necessary for the remote machine