EVENT ID 4625 with same computer name as account name

Question

EVENT ID 4625 with same computer name as account name

ABT 6

I am Getting EVENT ID 4625 with same computer name as account name in security event
System is Windows 2016 RD Gateway manger server.
Users can successfully login with RD Gateway manager.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/18/2022 3:25:28 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XX.XX.COM
Description:
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: COMPUTER NAME
Account Domain: XX

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: COMPUTER NAME
Source Network Address: ::1
Source Port: 63422

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-02-18T20:25:28.330254500Z" />
<EventRecordID>345349</EventRecordID>
<Correlation ActivityID="{AB53A549-05AE-0000-5BA5-53ABAE05D801}" />
<Execution ProcessID="1152" ThreadID="10592" />
<Channel>Security</Channel>
<Computer>XX.XX.COM</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">COMPUTER NAME</Data>
<Data Name="TargetDomainName">INSYNCHCS</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">COMPUTER NAME</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">63422</Data>
</EventData>
</Event>
![175976-image.png ]1

5 answers

Your answer

Answer 1

Limitless Technology 44,766

Hello @ABT

Yes because this event is generated on the computer where access was attempted. It generates on the computer where a logon attempt was made, for example, if a logon attempt was made on the user’s workstation, then an event will be logged on this workstation. The name in the account for which logon failed shows the name of the account which attempted the logon request.

Here is a link to help you out with understanding the event.
4625(F): An account failed to log on.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Hope this resolves your Query!!

--
--If the reply is helpful, please Upvote and Accept it as an answer--

ABT 6 Reputation points

2022-02-23T21:36:20.9+00:00

Thanks for your @Limitless Technology response,

But in my case
Account name=showing workstation name (no user name)
not showing IP address(::1 = may be ipv6 loop back address).

Want to know why this event generated without any SID, Name, Caller process name

Thanks in advance.

Answer 2

@ABT The SID, Name, and Caller Process are blank because Windows Event Logs use compression to store the logs. Meaning, there is an earlier event with that information. Microsoft then uses " - " as a placeholder for the compressed details.

It looks like there is a loopback process causing this failure. The Source Network Address is :::1, IPv6 loopback.

Did you figure this out? If not you can run Wireshark and choose the loopback adapter. Or, you can use TCPView and check the IPv6 processes.

Answer 3

James Clayton 1

This could be cached credentials in the browser.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Source Network Address: The IP address of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address. This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out."

Loeun Sokoeun 0 Reputation points

2023-07-31T02:35:59.6+00:00

Hello @James Clayton, I also receive above log. What can I do to not getting this kind of login failure? I mean is there anything to fix?

Regards,

Sokoeun

Answer 4

Loeun Sokoeun 0

Hello there, I would love to know if someone have found the root cause of this kind of login failure log and how to get rid of them? Regards, Sokoeun

James Clayton 51 Reputation points

2024-01-20T13:36:50.52+00:00

There isn't one answer to question, except there's a process trying to auth with ntlm credentials. The only thing to investigate with is:

Workstation Name: COMPUTER NAME
Source Network Address: ::1
Source Port: 63422 Detailed Authentication Information:
Logon Process: NtLmSsp

So, there's a system owned process that's trying to authenticate on the IPv6 loopback with NTLM. Figuring it out is different because some people might only have a SEIM, others can do a live response. This should be causing a lot of failures, so try to match the process with source port. Use TCPView.exe. Or netstat -abon. TCPLogViewer. Search the Security Log for :::1 or source port.

https://en.wikipedia.org/wiki/NTLMSSP
NTLMSSP (NT LAN Manager (NTLM) Security Support Provider) is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options. NTLMSSP is used wherever SSPI authentication is used including Server Message Block / CIFS extended security authentication, HTTP Negotiate authentication (e.g. IIS with IWA turned on) and MSRPC services. The NTLMSSP and NTLM challenge-response protocol have been documented in Microsoft's Open Protocol Specification.[1]
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
James Clayton 51 Reputation points

2024-01-20T14:06:50.57+00:00

I think a key detail is NtlmSSP. Based on ComputerName$, :::1, high source port, NtlmSSP, the cause is probably a service. Run TCPView.exe on any computer and filter IPv6. There's a few canidates for auth fails on a domain, like print spooler. Maybe a mapped drive/printer.

in windows, what is binary messaging protocol The Binary Messaging Protocol in Windows is a method used for efficient communication between different components or processes, typically within the Windows operating system. This protocol utilizes binary data formats for messages, which allows for more compact and faster processing compared to text-based protocols.

Here are some key points about Binary Messaging Protocol in Windows:

Efficiency: Binary protocols are generally more efficient than text-based protocols in terms of processing speed and bandwidth usage. This is because binary data is more compact and can be processed more quickly by computers.

Use Cases: It's often used in scenarios where performance is critical, such as in internal communications between system components, or in high-performance applications that require rapid data exchange.

Serialization/Deserialization: Binary messaging involves converting data structures or objects (serialization) into a binary format that can be transmitted over a network or inter-process communication, and then converting it back (deserialization) at the receiving end.

Compatibility: Since it's a binary format, care must be taken to ensure compatibility across different architectures, particularly with regard to byte order (endianness) and data alignment.

Security: While efficient, binary protocols can be more challenging to inspect and debug compared to text-based protocols. Also, they require careful implementation to avoid security vulnerabilities like buffer overflows. Examples: In Windows, binary messaging might be used in COM (Component Object Model) communication, in certain system APIs, or in communication between Windows services.

Custom Protocols: Some Windows applications may implement their own binary messaging protocols for internal use or for communication with other applications or services. I t's important to note that "Binary Messaging Protocol" is a broad term and can refer to various implementations depending on the specific context or application within the Windows ecosystem.

Answer 5

The situation where a computer account is reported as having an "unknown user name or bad password" in an Event ID 4625 log can indeed seem confusing. However, there are a few scenarios where this could happen:

Machine Account Password Mismatch: While rare, it's possible for the password of a computer account to become out of sync with the domain controller. This can happen due to various reasons like restoration of an old system state, issues with the domain controller, or network problems causing synchronization issues.

Stale Computer Account: If the computer has been offline for an extended period (beyond the domain's machine account password reset interval), its account may become stale, leading to authentication issues.

Duplicate Names: If another computer with the same name tries to join the domain, it might cause conflicts resulting in such log entries.

Malfunctioning Services or Processes: Certain services or processes that use the computer account for network operations might malfunction and send incorrect credentials.

External Interference or Attack: Although less common, an external entity might be trying to use the computer's account name to gain access, leading to failed logon attempts recorded in the logs.

To investigate this issue:

Check the Computer's Domain Membership: Verify that the computer "Dell-56" is correctly joined to the domain and there are no issues with its trust relationship with the domain.

Examine Network Issues: Look for any network connectivity problems that might be affecting the computer's ability to communicate with the domain controller.

Review System and Application Logs: Check for any errors or issues in the system and application logs around the time of the failed logon attempts that might provide more context.

Validate Computer Account Status in AD: Ensure the computer account in Active Directory is active and not disabled.

Consider Rejoining the Domain: If other methods don’t resolve the issue, removing and then rejoining the computer to the domain can sometimes fix such problems.

Security Review: If you suspect malicious activity, a thorough security review and monitoring might be necessary to rule out any external threats.

Remember, while the Event ID 4625 log provides important clues, often a broader investigation is needed to pinpoint the exact cause of such anomalies.

Share via

EVENT ID 4625 with same computer name as account name

5 answers

Your answer