Listing 7: Command to Identify Failed NTLM Logon Attempts in Win2K
logparser "SELECT TimeGenerated, EXTRACT_TOKEN(Strings,0,'|') AS UserName, 
EXTRACT_TOKEN(Strings,2,'|') AS Workstation FROM Security WHERE 
(EventID=681) AND EXTRACT_TOKEN(Strings,3,'|')='3221225578'"