Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4625 Source: Microsoft-Windows-Security-Auditing

Description
An account failed to log on.

Subject:
       Security ID: S-1-0-0
       Account Name: <account name>
       Account Domain: <domain>
       Logon ID: 0x0
Logon Type: <type>
Account For Which Logon Failed:
       Security ID: S-1-0-0
       Account Name: <account name>
       Account Domain: <domain>
Failure Information:
       Failure Reason: Unknown user name or bad password.
       Status: 0xc000006d
       Sub Status: 0xc0000064
Process Information:
       Caller Process ID:       0x0
       Caller Process Name:       -
Network Information:
       Workstation Name: <workstation name>
       Source Network Address: <IP address>
       Source Port: <port>
Detailed Authentication Information:
       Logon Process:              NtLmSsp
       Authentication Package:       NTLM
       Transited Services:       -
       Package Name (NTLM only):       -
       Key Length:              0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
       - Transited services indicate which intermediate services have participated in this logon request.
       - Package name indicates which sub-protocol was used among the NTLM protocols.
       - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Comments
 
Status: 0xC000006D, Logon Type: 4 - This event started being recorded after upgrading a Windows 7 workstation to Windows 10. We found out that a scheduled tasks started failing to authenticate the account used for it. We adjusted the login to match the format used by Windows 10 and the problem was fixed.
See EV100616 (Error 0x803d0013 (-2143485933 WS_W_ENDPOINT_FAULT_RECEIVED) for an instance when this event was recorded due to a misconfigured URI for the Root CA.
Symptom: Access denied on DFS namespace from network. Login needed and error.
Problem: Changed permission on DFSroots (c:\) on server.
Solution: Took ownership on folder and corrected permission.
In one situation, this event was recorded 290 times per day, showing C:\Windows\System32\svchost.exe as the calling process and the admin account as the failing to login due to a wrong password. All the services were configured to run the Local System account. It turned out that the culprit was a batch file scheduled to run every 5 minutes using the Microsoft Task Scheduler. At some point, the admin password was changed and the task started failing at every run attempt. Once the password was updated, the messages stopped.
UWS4625 has some additional comments about this type of event.


I experienced this when running SharePoint WWS 3.0 on Server 2008. Disabling the Loopback check as per the MS knowledge base article did the trick.
From a support forum: "My two DCs was out of sync with date and time - not only out of sync between each other but also compared to the client PC I tried to logon from. Once the time synchronization was fixed, the problem was gone".
From a support forum: "In my case, we changed the administrator password and for some reason the error was gone. Maybe the password changed triggered some other syncs that fixed the issue."
Enabling Kerberos Event Logging as per ME262177 may provide additional information in regards to this event.
If the event description does not contain the user account name, it might be due to a bug in the way Windows handles the use of a smart card to log on to a domain. See ME2157973 for information about a hotfix.
In my case, one host is available from network under few names. It's a web server (Windows 2008, MOSS2007). ME896861 helped (method 1).
See additional information about this event at EV100477 (4625: An account failed to log on).
I get this error after the installation from IE8RC1 on a W8k Server. Botht the problem and the solution are similar with the ones described in ME896861.
See ME957713 for information about this event.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...