This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello. Ok, I'm really not very familar with Event Viewer at all, but I was tinkering around with it this morning and I noticed muliple logins and logoffs in the security tab that were unrelated to actual Logins and logoffs. Also I noticed there were a bit of entries called "Audit Failures." I looked around on the internet for some answers, but couldn't find much. We have a Windows 7. Could someone please give it to me straight and explain if this is serious or not? There seem to be 3 or 4 different messages, just repeated over and over. Here's some messages of the entries. Hope they're what you're looking for. The "Computer name" entry is there to replace the actual name in the computer. It's not a typo.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/20/2012 5:56:27 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: "Computer name"-HP
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: "Computer name"-HP$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 11
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:"Computer name"
Account Domain: "Computer name"-HP
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000010b
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1498
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: "Computer name"-HP
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-21T00:56:27.231350000Z" />
<EventRecordID>72605</EventRecordID>
<Correlation />
<Execution ProcessID="556" ThreadID="636" />
<Channel>Security</Channel>
<Computer> "Computer name"-HP</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName"> "Computer name"-HP$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName"> "Computer name"</Data>
<Data Name="TargetDomainName"> "Computer name"-HP</Data>
<Data Name="Status">0xc000010b</Data>
<Data Name="FailureReason">%%2304</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">11</Data>
<Data Name="LogonProcessName">CredPro</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName"> "Computer name"-HP</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1498</Data>
<Data Name="ProcessName">C:\Windows\System32\consent.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
That's the most common one. Here's some different ones.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/24/2012 7:44:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: "Computer name" -HP
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: "Computer name"-HP$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: "Computer name"
Account Domain: "Computer name"-HP
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x13d4
Caller Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: "Computer name"-HP
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-25T02:44:04.355000000Z" />
<EventRecordID>73344</EventRecordID>
<Correlation />
<Execution ProcessID="556" ThreadID="4620" />
<Channel>Security</Channel>
<Computer> "Computer name"-HP</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName"> "Computer name"-HP$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName"> "Computer name"</Data>
<Data Name="TargetDomainName"> "Computer name"-HP</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">CredPro</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName"> "Computer name"-HP</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x13d4</Data>
<Data Name="ProcessName">C:\Windows\System32\consent.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/12/2012 6:57:09 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: "Computer name" -HP
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: "Computer name"-HP$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: -
Account Domain: -
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc00000dc
Sub Status: 0xc00000dc
Process Information:
Caller Process ID: 0x218
Caller Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-09-12T13:57:09.511600000Z" />
<EventRecordID>68016</EventRecordID>
<Correlation />
<Execution ProcessID="552" ThreadID="588" />
<Channel>Security</Channel>
<Computer>"Computer name"-HP</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">"Computer name"-HP$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="Status">0xc00000dc</Data>
<Data Name="FailureReason">%%2304</Data>
<Data Name="SubStatus">0xc00000dc</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x218</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
That's pretty much the bulk of it. There are some others, but they seem to be slight varations of the messages above, like with different users. Thanks.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
I found some references that this (C:\Windows\System32\consent.exe) can be tied to malware on your computer. Have a look at this site for some good information and instructions.
http://www.selectrealsecurity.com/malware-removal-guide/
Hope this helps.
It doesn't say anything anout Domain. Just Workgroup. What does that mean then?
Hi,
Check the steps below to find if computer is in a Domain.
a: Right click my computer, Select properties
b: Look in the field: Computer name, domain, and workgroup settings - it should say Workgroup or Domain
c: If it is mentioned Domain, then you are in Domain.
Hope this information helps.
@Jessen P
How do I figure out if I'm connected to Domain Network?
@Cameron O
What do you mean by "tied to malware"? I checked the file and scanned it and found nothing suspicious.
Hi,
Welcome to Microsoft Community and thanks for posting the question.
As per the description provided, you are having issues with error messages in Event viewer.
Is the computer connected to Domain Network?
Applications created with Windows Communication Foundation (WCF) can log security events (either success, failure, or both) with the auditing feature. The events are written to the Windows system event log and can be examined using the Event Viewer.
Application (program) events. Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service.
Check the articles mentioned below :
**http://technet.microsoft.com/en-us/library/dd941592(WS.10).aspx**
**http://www.microsoft.com/en-us/download/details.aspx?id=21561**
Reply to us if you face any issues with event viewer or any other Windows Issue, and we would be glad to assist you.
Have a nice day!
Hope this information helps.
