Windows Security Log Event ID 537
Operating Systems |
Windows Server 2000
Windows 2003 and XP
|
Category | Logon/Logoff |
Type
|
Failure
|
Corresponding events
in Windows
2008 and Vista |
4625
|
537: Logon failure - The logon attempt failed for other reasons.
On this page
Thanks to Isaac at Prism Microsystems (EventTracker) for this explanation:
Event ID 537 is a generic logon failure that most of the time that I've seen it has a blank user name, to figure out what the true underlying cause of the logon failure you need to look at the Status Code and Substatus Code in the description. The codes that I see most often when talking to customers is:
Status code: 0xC000006D
Substatus code: 0xC0000133
These 2 codes indicate that the workstation clock is more than 5 mins out of sync with the Domain Controller. I have put together a blog entry on how to analyze event 537.
Here's a link to the status codes at MSDN
Free Security Log Resources by Randy
- User Name:
- Domain:
- Logon Type:
- Logon Process:
- Authentication Package:
- Workstation Name:
The following fields are added in Windows Server 2003:
- Caller User Name:
- Caller Domain:
- Caller Logon ID:
- Caller Process ID:
- Transited Services:
- Source Network Address:
- Source Port:
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Event Type: Failure Audit
Event Source: Security
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.144
Source Port: 0
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection