This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I was checking Event Viewer to keep track of some stuff and realized I've been having security audit failures every day since August 25th (there are no entries before this date). I remember doing a System Restore on the day before, which might explain why I don't have any older events in the security event log (not sure if they get erased by a System Restore?). I'm not sure if this problem started on the 25th or before that as I don't check Event Viewer very often, but I'm a bit confused since, from what I gathered after a bit of googling, this event seems related to a Windows Server issue that might happen when someone tries to log in/hack(?) into a server. My machine isn't running a server - it's my personal computer. Also, the account where this "failed log on attempt" happens is the default Windows 10 guest account that I don't even have activated on my machine. How is this possible? Here's the log, I'd really appreciate it if someone could explain it to me a little better:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 29-Aug-19 1:18:38 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SKELETOR
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \(my ip)
Source Network Address: (my ip)
Source Port: 60163
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
My first concern was that this could be someone trying to hack into my computer, but I ran several malware/virus scans very recently and couldn't find any threat. My computer also seems to be working normally; I haven't run into any BSODs or anything particularly odd/suspicious. This Event always pops up in Event Viewer around 1 PM, and there are always two logon attempts with roughly 5 seconds between them. I don't understand a lot about tech stuff so this seems very scary and confusing to me. The only other "different" thing I did on the 24th/25th was that I accidentally enabled Windows 10's update to version 1903, then used the System Restore I mentioned before to stop it. There are still some leftover files from the unfinished 1903 update on my computer, and I'm wondering if I should actually update to 1903 to try and see if this issue can be fixed. I'd really appreciate any advice/help on this issue since this is all very intimidating and scary to me.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Hello...
I've erased the stored passwords but the event is still happening. I'm not really sure what else I could try. Is it worth reinstalling Windows over this? I'm sorry for all the messages, I'd just really appreciate any assistance/guidance with this matter.
The issue is still happening. I haven't tried deleting the saved passwords yet since first I'd like to know if it's safe for me to do it (doesn't seem unsafe, but I'd still like some confirmation). Today it happened earlier than usual (around 11:42 AM, not much time after I had booted up my computer). I tried using GlassWire to detect network activity at the moment it happened and could only find a few Windows processes and some Avast processes as well. I have a few more ideas to try and identify what might be causing this, but I'd really appreciate any help/suggestions anyone might have. And sorry again for posting so many times in a row! Just thought it'd be a good idea to report what I've tried so far.
Hi, thanks for your reply. I've updated to Windows 1903 overnight and uninstalled some unused programs hoping it would fix the problem, but unfortunately it's still happening. I've checked Task Scheduler as you've suggested but the Task Status Window is completely blank (0 running, 0 succeeded, 0 stopped, 0 failed) no matter which time interval I select. I tried checking the Task Scheduler Library and the closest I could find was 'GoogleUpdateTaskMachineUA' - apparently it ran at 1:21 PM, and Event Viewer shows 2 Event 4625 at 1:28 PM. I should also mention this - these events always happen around 1 PM, but they're never at the exact same time and always happen a few minutes later on the following day. For example, it happened at 1:18 PM yesterday, and today it happened at 1:28 PM.
I don't think 'GoogleUpdateTaskMachineUA' is causing this, mostly because it seems to run multiple times per day (every 1 hour, according to Task Manager) and the 4625 logs only show up at one given time. Is there some way for me to find what tasks/processes/etc are connecting to a specific port? The 4625 logs always show a different source port:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 30-Aug-19 1:28:28 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SKELETOR
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \(my ip)
Source Network Address: (my ip)
Source Port: 64511
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This time, it used 64511 and 64503 as its source ports on the two logon attempts. My computer seems to be behaving normally but I'm really concerned about the possibility of someone spying on me in some way because of these logs. I was really hoping that updating to 1903 would fix it in some way. :(
EDIT: It just happened a second time at 1:55 PM. Again, two attempts, separated by roughly 5 seconds each. This is the log for one of them:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 30-Aug-19 1:55:31 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SKELETOR
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \ (my ip)
Source Network Address: (my ip)
Source Port: 64663
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
I've checked Task Scheduler a second time and couldn't find anything that happened during this time. GoogleUpdateTaskMachineUA didn't run a second time, so I don't think it has anything to do with this task.
Second edit: not sure if it's relevant/could be related, but I have a few 'gupdate' errors in my Event Log, and, after doing some research, they have something to do with Google Updates? I don't think GoogleUpdateTaskMachineUA is related to my issue but then again I don't understand much about these logs! Let me know if you have something specific in mind for me to check. I'd also like to know if you think these might be attempts from someone at hacking my computer, or something less dangerous (I've read a lot about Event 4625 but since I'm not running a server, I don't really understand how someone else would be able to request logon to my machine). I ran several malware/virus scans only a short while ago and couldn't find anything suspicious or unusual, and I have Windows Firewall enabled as well. The "Network Information" area shows my own IP address (and the Event Log explains that it shows where the logon attempt came from), so I'm assuming these logon attempts are coming from my own computer rather than someone else's. Is this correct?
One more thing (sorry for all the questions!) - I've been researching this event a bit more and I found
this solution on several different pages. Many people suggest that this event can be triggered by a "stale hidden credential". This reminded me I've changed my Windows account password some days ago,
and now I'm starting to wonder if this could be related to my issue. The people in these pages suggest that deleting the saved credentials can fix this issue. I've checked my computer's Credentials Manager and it seems I have quite a few saved passwords (my
old password is probably still in there somewhere). Would it be safe for me to delete these to see if this could fix my issue?
Hi,
Thank you for writing to Microsoft Community Forums.
I understand that you are getting the Event ID 4625 on your PC at a specific time.
I have been researching on this and found some information which might be helpful for you. You can refer the article 4625(F): An account failed to log on
However, as you have mentioned that the Event ID is getting triggered at a particular time there are possibilities that a task is being executed at that time interval. I would suggest you to check the task scheduler and see if any task is executed at that time.
Please get back to us with the detailed information to assist you further.
We await your response.
Regards,
Prakhar Khare
Microsoft Community – Moderator
