Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Features

Windows Event ID 4625 – Failed logon

Introduction

Event ID 4625 (viewed in Windows Event Viewer) documents every failed attempt at logging on to a local computer. This event is generated on the computer from where the logon attempt was made. A related event, Event ID 4624 documents successful logons.

Event 4625 applies to the following operating systems: Windows Server 2008 R2 and Windows 7, Windows Server 2012 R2 and Windows 8.1, and Windows Server 2016 and Windows 10. Corresponding events in Windows Server 2003 and earlier included 529, 530, 531, 532, 533, 534, 535, 536, 537, and 539 for failed logons.

Event ID 4625 looks a little different across Windows Server 2008, 2012, and 2016. Highlighted in the screenshots below are the important fields across each of these versions. 

Event 4625 (Windows 2008)

Event 4625 (Windows 2008)

Event 4625 (Windows 2012)

Event 4625 (Windows 2012)

Event 4625 (Windows 2016)

Event 4625 (Windows 2016)

Description of Event Fields

The important information that can be derived from Event 4625 includes:

  • Logon Type:This field reveals the kind of logon that was attempted. In other words, it points out how the user tried logging on. There are a total of nine different types of logons. The most common logon types are: logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) is a red flag. For a description of the different logon types, see Event ID 4624.
  • Account For Which Logon Failed: This section reveals the Account Name of the user who attempted the logon.
  • Failure Information: This section explains the reasons for the logon failure. The Failure Reason field includes a short explanation, while the Status and Sub Status fields list hexadecimal codes, the most common of which are explained below.
Status and Sub Status Codes Description
0xC0000064 The username is misspelled or does not exist.
0xC000006A The user's password is wrong.
0xC000006D The username or authentication information is incorrect.
0xC0000234 The user is currently locked out.
0xC0000072 The user account is currently disabled.
0xC000006F The user tried to log on outside authorized hours.
0xC0000070 The user tried to log on from an unauthorized workstation.
0xC0000193 The user's account has expired.
0xC0000071 The user's password has expired.
0xC0000133 The domain controller and computer's times are out of sync.
0xC0000224 The user is required to change their password at next logon.
0xc000015b The user has not been granted the requested logon type on that machine.

Other information that can be obtained from Event 4625:

  • The Subject section reveals the account on the local system that requested the logon (not the user).
  • The Process Information section reveals details surrounding the process that attempted the logon.
  • The Network Information section reveals where the user was when they attempted the logon. If the logon was initiated from your current computer, this information will either be blank or reflect that local computer's workstation name and source network address.
  • The Detailed Authentication section reveals information about the authentication package used while attempting the logon.

Reasons to monitor failed logons:

  Security

To detect brute-force, dictionary, and other password guess attacks, which are characterized by a sudden spike in failed logons.

To detect abnormal and possibly malicious internal activity, like a logon attempt from a disabled account or unauthorized workstation, users logging on outside of normal working hours, etc.

  Operational

To come up with a benchmark for the Account lockout threshold policy setting, which determines the number of failed sign-in attempts before a user account gets locked.

  Compliance

To comply with regulatory mandates precise information surrounding failed logons is necessary.

The need for a third-party tool

In a typical IT environment, the number of events with ID 4625 (failed logon) can run into the thousands each day. Failed logons are useful on their own, but greater insights into network activity can be drawn from clear connections between them and other pertinent events.

For example, while Event 4625 is generated when an account fails to log on and Event 4624 is generated for successful logons, neither of these events reveal if the same account has recently experienced both. You have to correlate Event 4625 with Event 4624 using their respective Logon IDs to figure that out. 

Thus, event analysis and correlation needs to be performed. Native tools and PowerShell scripts demand expertise and time when employed to this end, so a third-party tool is truly indispensable.

Applying machine learning, ADAudit Plus creates a baseline of normal activities specific to each user and only notifies security personnel when there is a deviation from this norm.

For example, a user who consistently accesses a critical server outside of business hours wouldn't trigger a false positive alert because that behavior is typical for that user. On the other hand, ADAudit Plus would instantly alert security teams when that same user accesses that server during a time they've never accessed it before, even though the access falls within business hours.

If you want to explore the product for yourself, download the free, fully-functional 30-day trial.

If you want an expert to take you through a personalized tour of the product, schedule a demo.

Detect malicious Active Directory logon activity.

ManageEngine ADAudit Plus employs machine learning to alert you whenever a user with possibly malicious intent logs on.

 
3 of every 5 Fortune 500 companies trust ManageEngine to manage their IT.
 
 
 
 

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting