Windows Security Log Event ID 537

Operating Systems Windows Server 2000
Windows 2003 and XP
Type Failure
Corresponding events
in Windows 2008
and Vista

537: Logon failure - The logon attempt failed for other reasons.

On this page

Thanks to Isaac at Prism Microsystems (EventTracker) for this explanation:

Event ID 537 is a generic logon failure that most of the time that I've seen it has a blank user name, to figure out what the true underlying cause of the logon failure you need to look at the Status Code and Substatus Code in the description.  The codes that I see most often when talking to customers is:

Status code:       0xC000006D

Substatus code:                0xC0000133

These 2 codes indicate that the workstation clock is more than 5 mins out of sync with the Domain Controller.  I have put together a blog entry on how to analyze event 537.

Here's a link to the status codes at MSDN

Free Security Log Resources by Randy

Description Fields in 537

  • User Name:
  • Domain:
  • Logon Type:
  • Logon Process:
  • Authentication Package:
  • Workstation Name:

The following fields are added in Windows Server 2003:

  • Caller User Name:
  • Caller Domain:
  • Caller Logon ID:
  • Caller Process ID:
  • Transited Services:
  • Source Network Address:
  • Source Port:

Supercharger Enterprise


Examples of 537

Event Type:        Failure Audit
Event Source:      Security
Event ID:          537
User:              NT AUTHORITY\SYSTEM
Computer:          DC1
Logon Failure:    
Reason:            An error occurred during logon
User Name:        
Logon Type:        3
Logon Process:     Kerberos
Authentication Package:  Kerberos
Workstation Name:        -
Status code:             0xC000006D
Substatus code:          0xC0000133
Caller User Name:        -
Caller Domain:   -
Caller Logon ID: -
Caller Process ID:    -
Transited Services:   -
Source Network Address:
Source Port:       0


Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources