Thursday, January 03, 2013 10:39 AM
Hello I have many of those events, about 10 per seconds and for about 15 minutes.
An account failed to log on. Subject: Security ID: SYSTEM Account Name: WIN-ML7A3VSKKVU$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: root Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x444 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-ML7A3VSKKVU Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0
I'm try to identify the source of the problem, I have checked the services but I didn't find anything strange, I compared the running services with other severs and they are the same. The only thing that I have found is a task in windows scheduler for windows defender and it starts exactly a few seconds before the audit failures. When I start the task it doesn't generate any exception and it runs for less than a minute.
Friday, January 04, 2013 5:31 AMModeratorHi,
Thanks for posting in Microsoft TechNet forums.
Please check the information in the thread below which is also related to the Audit Failure Event 4625 (Unknown user name or bad password):
Audit Failure event ID 4625
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Thursday, January 10, 2013 3:29 AM