Strange type of windows failed authentication security event log ID 4625

Vincent Hii 6 Reputation points
2021-05-27T03:55:38.74+00:00

Has anyone seen this specific type of event 4625? Not much info as to the source and it has been happening a fair bit lately on a few servers and they are constant (a block of around 5 same events every few minutes).

In summary:
Status: 0xC000006D
Sub Status: 0x0
Logon type: 3 (Network (i.e. connection to shared folder on this computer from elsewhere on network)

The usual online searches has lead to nothing conclusive.

The eventlog in detail:

An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [computer-name]$
Account Domain: [domain-name]
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.

  • Transited services indicate which intermediate services have participated in this logon request.
  • Package name indicates which sub-protocol was used among the NTLM protocols.
  • Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,681 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Prince 6 Reputation points
    2021-09-05T06:53:06.87+00:00

    Hi All,

    Even I'm facing exactly the same problem.

    I would be glad if someone from Microsoft could explain.

    Thank you.


    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: WEBCAM
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: -
    Source Network Address: 181.214.206.146
    Source Port: 0

    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    • Transited services indicate which intermediate services have participated in this logon request.
    • Package name indicates which sub-protocol was used among the NTLM protocols.
    • Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: TJACKSON
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: -
    Source Network Address: 181.214.206.146
    Source Port: 0

    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    • Transited services indicate which intermediate services have participated in this logon request.
    • Package name indicates which sub-protocol was used among the NTLM protocols.
    • Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    1 person found this answer helpful.
    0 comments No comments

  2. Fan Fan 15,276 Reputation points Microsoft Vendor
    2021-05-27T06:28:41.95+00:00

    Hi,

    Regarding some NTLM authentication events, workstations, or caller process parts may be blank in some cases.

    The following methods can help you find the caller process or source network address:

    If the frequency of events is high, you can consider using network monitor or process monitor tools. Open the tool and reproduce the problem, the processes will be recorded.

    You can open the netlogon debug log, if the problem reproduces, it will be recorded in the log.

    Regarding enabling debug log, use the following command

    nltest /dbflag:0x2080ffff

    Once the issue reproduced, turn off the log with the following command

    nltest /dbflag:0x0

    The NetLogon logging level is stored in the following registry value:

    HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag

    The location of the debug log is: %SYSTEMROOT%\debug\Netlogon.log

    Due to the security reason, the logs analysis is not supported here!
    But if you find clues, you can share a screenshot here! (Please hide the private information)

    Best Regards,

    0 comments No comments