Windows Security Log Event ID 4625

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Logon/Logoff
 • Logon
Type Failure
Corresponding events
in Windows 2003
and before
529 , 530 , 531 , 532 , 533 , 534 , 535 , 536 , 537 , 539  

4625: An account failed to log on

On this page

This is a useful event because it documents each and every failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.

Free Security Log Resources by Randy

Description Fields in 4625

Subject:

Identifies the account that requested the logon - NOT the user who just attempted logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the system.

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID

Logon Type:

This is a valuable piece of information as it tells you HOW the user just logged on:  See 4624 for a table of logon type codes.

Account For Which Logon Failed:

This identifies the user that attempted to logon and failed.

  • Security ID:  The SID of the account that attempted to logon. This blank or NULL SID if a valid account was not identified - such as where the username specified does not correspond to a valid account logon name.
  • Account Name: The account logon name specified in the logon attempt.
  • Account Domain: The domain or - in the case of local accounts - computer name.

Failure Information:

The section explains why the logon failed.

  • Failure Reason: textual explanation of logon failure.
  • Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.

Status and Sub Status Codes Description (not checked against "Failure Reason:") 
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine

Process Information:

  • Caller Process ID: The process ID specified when the executable started as logged in 4688.
  • Caller Process Name: Identifies the program executable that processed the logon. This is one of the trusted logon processes identified by 4611.

Network Information:

This section identifies where the user was when he logged on. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers.

  • Workstation Name: The computer name of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. Workstation may also not be filled in for some Kerberos logons since the Kerberos protocol doesn't really care about the computer account in the case of user logons and therefore lacks any field for carrying workstation name in the ticket request message.
  • Source Network Address: The IP address of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address.  This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out."
  • Source Port: Identifies the source TCP port of the logon request which seems useless since with most protocols' source ports are random.

Detailed Authentication Information:

  • Logon Process: (see 4611)
  • Authentication Package: (see 4610 or 4622)
  • Transited Services: This has to do with server applications that need to accept some other type of authentication from the client and then transition to Kerberos for accessing other resources on behalf of the client.  See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
  • Package name: If this logon was authenticated via the NTLM protocol (instead of Kerberos for instance) this field tells you which version of NTLM was used.  See security option "Network security: LAN Manager authentication level"
  • Key Length: Length of key protecting the "secure channel".  See security option "Domain Member: Require strong (Windows 2000 or later) session key".  If value is 0 this would indicate security option "Domain Member: Digitally encrypt secure channel data (when possible)" failed

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 4625

An account failed to log on.

Subject:
  
Security ID:  NULL SID
   Account Name:  -
   Account Domain:  -
   Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  asdf
   Account Domain: 
Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xc000006d
   Sub Status:  0xc0000064

Process Information:
   Caller Process ID: 0x0
   Caller Process Name: -

Network Information:
  
Workstation Name: WIN-R9H529RIO4Y
   Source Network Address: 10.42.42.201
   Source Port:  53176

Detailed Authentication Information:
      Logon Process:  NtLmSsp
   Authentication Package: NTLM
   Transited Services: -
   Package Name (NTLM only): -
   Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

  • Transited services indicate which intermediate services have participated in this logon request.
  • Package name indicates which sub-protocol was used among the NTLM protocols
  • Key length indicates the length of the generated session key. This will be 0 if no session key was requested

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources