event-4625 without ip and port

Eric Jiang 0 Reputation points
2023-09-13T03:29:11.4866667+00:00

WinServer 2012 R2 and below, NTLM login does not have IP and Port records. This issue has been fixed in 2016. May I know if there are any related patch packs for 2012 and below.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,705 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,903 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 11,090 Reputation points
    2023-09-28T12:26:57.91+00:00

    Hello

    According to a discussion on GitHub, Windows Server 2012 and below do not record IP and Port details for NTLM logins in Event 4625. This issue has been fixed in Windows Server 2016. Unfortunately, I couldn’t find any specific patches for Windows Server 2012 and below to address this issue.

    However, you might be able to get more detailed logs by enabling certain debug flags. For example, you can use the nltest command to enable more detailed logging for the NetLogon service. Here’s how you can do it:

    Open the Run dialog (Win + R), type in: nltest /dbflag:2080ffff, and press OK.

    Restart the NetLogon service. The related activity may be logged to %windir%/debug/netlogon.log.

    Once you’re done with the debugging, don’t forget to disable it by opening the Run dialog again, typing in: nltest /dbflag:0, and pressing OK.

    Please note that these steps should be performed by an IT professional or under their guidance, as they involve changes that could affect your system’s operation.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.