4625 the gift that keeps on giving...

Question

HI there...

i have this error ID pop up (a thousand times) on a remote computer that i connected to via smb.

The remote PC is on a different network than my work pc. This network is connected to my work pc through a BOVPN tunnel.

What i did:

Windows Explorer --> \ipadressremotepc\c$

I was promted usercredentials wich i typed in and they were accepted.

Windows explorer showed me the files under c$ and i copied a few files to my work pc.

Solarwinds tripped the logon attempts test with multiple thousands of 4625 errors.

Like always there is not much information given in the windows logs.

The error messages show that my pc is trying to connect to that remote pc with my credentials, not the usercredentials of said remote pc.

How do i find out what application or process is trying so desperatly to connect to the remote pc?

How do i stop this behavior?

This is oviosly Windows still trying to contact the remote machine. Its constantly trying to open up an SMBv2 connection and fails.

I have wireshark running an can see that my pc tries to contact the remote pc.
I also have processexplorer open an i found this connection in one of the open svchost.exe processes..... i found it and lost it again becuse it showed the ip of the remote pc but it quickly dissapeared...

Thanks

Answer 1

Hello @BR0KK ，

Thank you for posting here.

To better understand our issue, please confirm the following information below:

1. Can you see which account (Account Name) failed to logon via event 4625?
2. Can you see which machine (workstation name or Source Network Address)the user logged on via event 4625?
3. Can you see why (failure reason) the account failed to logon via event 4625?
4. Can you see which process (Caller Process Name) via event 4625?
5. For all the event 4625, do you mean it is the same account failed to logged on?

For example:

Best Regards,
Daisy Zhou