EVENT ID 4625 with same computer name as account name

ABT 6 Reputation points
2022-02-18T21:41:39.113+00:00

I am Getting EVENT ID 4625 with same computer name as account name in security event
System is Windows 2016 RD Gateway manger server.
Users can successfully login with RD Gateway manager.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/18/2022 3:25:28 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XX.XX.COM
Description:
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: COMPUTER NAME
Account Domain: XX

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: COMPUTER NAME
Source Network Address: ::1
Source Port: 63422

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-02-18T20:25:28.330254500Z" />
<EventRecordID>345349</EventRecordID>
<Correlation ActivityID="{AB53A549-05AE-0000-5BA5-53ABAE05D801}" />
<Execution ProcessID="1152" ThreadID="10592" />
<Channel>Security</Channel>
<Computer>XX.XX.COM</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">COMPUTER NAME</Data>
<Data Name="TargetDomainName">INSYNCHCS</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">COMPUTER NAME</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">63422</Data>
</EventData>
</Event>
![175976-image.png]1

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Limitless Technology 44,766 Reputation points
    2022-02-23T15:42:13.403+00:00

    Hello @ABT

    Yes because this event is generated on the computer where access was attempted. It generates on the computer where a logon attempt was made, for example, if a logon attempt was made on the user’s workstation, then an event will be logged on this workstation. The name in the account for which logon failed shows the name of the account which attempted the logon request.

    Here is a link to help you out with understanding the event.
    4625(F): An account failed to log on.
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    Hope this resolves your Query!!

    --
    --If the reply is helpful, please Upvote and Accept it as an answer--


  2. James Clayton 1 Reputation point
    2022-04-07T19:31:22.65+00:00

    @ABT The SID, Name, and Caller Process are blank because Windows Event Logs use compression to store the logs. Meaning, there is an earlier event with that information. Microsoft then uses " - " as a placeholder for the compressed details.

    It looks like there is a loopback process causing this failure. The Source Network Address is :::1, IPv6 loopback.

    Did you figure this out? If not you can run Wireshark and choose the loopback adapter. Or, you can use TCPView and check the IPv6 processes.

    0 comments No comments

  3. James Clayton 1 Reputation point
    2022-04-07T19:35:23.057+00:00

    This could be cached credentials in the browser.

    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

    Source Network Address: The IP address of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address. This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out."


  4. Loeun Sokoeun 0 Reputation points
    2024-01-19T10:37:03.98+00:00

    Hello there, I would love to know if someone have found the root cause of this kind of login failure log and how to get rid of them? Regards, Sokoeun


  5. James Clayton 51 Reputation points
    2024-01-20T14:42:06.87+00:00

    The situation where a computer account is reported as having an "unknown user name or bad password" in an Event ID 4625 log can indeed seem confusing. However, there are a few scenarios where this could happen:

    Machine Account Password Mismatch: While rare, it's possible for the password of a computer account to become out of sync with the domain controller. This can happen due to various reasons like restoration of an old system state, issues with the domain controller, or network problems causing synchronization issues.

    Stale Computer Account: If the computer has been offline for an extended period (beyond the domain's machine account password reset interval), its account may become stale, leading to authentication issues.

    Duplicate Names: If another computer with the same name tries to join the domain, it might cause conflicts resulting in such log entries.

    Malfunctioning Services or Processes: Certain services or processes that use the computer account for network operations might malfunction and send incorrect credentials.

    External Interference or Attack: Although less common, an external entity might be trying to use the computer's account name to gain access, leading to failed logon attempts recorded in the logs.

    To investigate this issue:

    Check the Computer's Domain Membership: Verify that the computer "Dell-56" is correctly joined to the domain and there are no issues with its trust relationship with the domain.

    Examine Network Issues: Look for any network connectivity problems that might be affecting the computer's ability to communicate with the domain controller.

    Review System and Application Logs: Check for any errors or issues in the system and application logs around the time of the failed logon attempts that might provide more context.

    Validate Computer Account Status in AD: Ensure the computer account in Active Directory is active and not disabled.

    Consider Rejoining the Domain: If other methods don’t resolve the issue, removing and then rejoining the computer to the domain can sometimes fix such problems.

    Security Review: If you suspect malicious activity, a thorough security review and monitoring might be necessary to rule out any external threats.

    Remember, while the Event ID 4625 log provides important clues, often a broader investigation is needed to pinpoint the exact cause of such anomalies.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.