Event ID 4625
An account failed to log on
An account failed to log on.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Logon Type: %11
Account For Which Logon Failed:
Security ID: %5
Account Name: %6
Account Domain: %7
Failure Information:
Failure Reason: %9
Status: %8
Sub Status: %10
Process Information:
Caller Process ID: %18
Caller Process Name: %19
Network Information:
Workstation Name: %14
Source Network Address: %20
Source Port: %21
Detailed Authentication Information:
Logon Process: %12
Authentication Package: %13
Transited Services: %15
Package Name (NTLM only):%16
Key Length: %17
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Auditing:
Always
It is recommended to enable auditing for all associated subcategories on domain controllers, servers and workstations.
CJIS 5.4.1.1.1
ISO 27001:2013 A.12.4.3
PCI 3.2.1: 10.2.4
HIPAA: 164.308 (a)(5)(ii)(C)
NIST SP 800-53: AC-2
NIST 800-171: 3.1.1
CMMC v2 L1: AC.L1-3.1.1
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Security ID |
SubjectUserSid |
%1 |
Any |
SYSTEM
|
|
|
Account Name |
SubjectUserName |
%2 |
Any |
DC01$
|
|
|
Account Domain |
SubjectDomainName |
%3 |
Any |
DOMAIN
|
|
|
Logon ID |
SubjectLogonId |
%4 |
Any |
0x3e7
|
|
|
Security ID |
TargetUserSid |
%5 |
Any |
NULL SID
|
|
|
Account Name |
TargetUserName |
%6 |
Any |
Username
|
|
|
Account Domain |
TargetDomainName |
%7 |
Any |
DOMAIN
|
|
|
Status |
Status |
%8 |
Any |
View Codes
|
|
|
Failure Reason |
FailureReason |
%9 |
Any |
User logon with expired password.
|
|
|
Sub Status |
SubStatus |
%10 |
Any |
View Codes
|
|
|
Logon Type |
LogonType |
%11 |
Any |
View Codes
|
|
|
Logon Process |
LogonProcessName |
%12 |
Any |
User32
|
|
|
Authentication Package |
AuthenticationPackageName |
%13 |
Any |
Negotiate
|
|
|
Workstation Name |
WorkstationName |
%14 |
Any |
ComputerName
|
|
|
Transited Services |
TransmittedServices |
%15 |
Any |
-
|
|
|
Package Name (NTLM only) |
LmPackageName |
%16 |
Any |
-
|
|
|
Key Length |
KeyLength |
%17 |
Any |
0
|
|
|
Caller Process ID |
ProcessId |
%18 |
Any |
0x1b8
|
|
|
Caller Process Name |
ProcessName |
%19 |
Any |
C:\Windows\System32\winlogon.exe
|
|
|
Source Network Address |
IpAddress |
%20 |
Any |
127.0.0.1
|
|
|
Source Port |
IpPort |
%21 |
Any |
0
|
SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
The username that reported information about logon failure, e.g. the local computer account.
Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.
SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
The user account that failed to log on.
Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
Hex Format. The reason why logon failed.
Textual explanation of Status field value. For this event it typically has “Account locked out” or "Unknown user name or bad password"
Refer Typical Failure Logon Errors table for more info.
Additional information about logon failure.
The name of the trusted logon process that was used for the logon attempt.
The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
NTLM – NTLM-family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
The machine name from which logon attempt was performed.
[Kerberos-only]: the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/en-us/library/cc246072.aspx
Only populated if “Authentication Package” = “NTLM”. The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package.
Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
Full path and the name of the executable for the process.
IP address of machine from which logon attempt was performed.
Source port which was used for logon attempt from remote machine.
0 for interactive logons.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /category:Logon/Logoff
LEFT/RIGHT arrow keys for navigation
Back to List