Event ID 4625.

Question

Hi everyone!

We have a file server that shows several password violations on server statistics. Capturing event ID 4625 and uploading the data to a database, I discovered a few more things. Who are the workstations that most cause the failure and other information about number one in particular.

Answer 1

Hi @Doria ,

What is the question?

The event 4625 (An account failed to log on) can be generated if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.

The event can also be generated on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.

Reference:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

The failure status code of 0xc000006d means the following:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

----------

(If the reply was helpful please don't forget to upvote or accept as answer, thank you)

Best regards,
Leon

Answer 2

Hi Leon, thanks for your answer.

The question would be who (the process) is doing that? I will try to trace it at the workstation, but if someone has any ideia it will be welcome. For the number of times, it is not human. It may be some malware on the network, so I need to track the source at the station.

Thanks.

Answer 3

Hi,
 
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
 
Best Regards,
Vicky