none
Audit failure Event ID 4625 Sub Status 0xC0000064 Failure Reason Unknown user name or password RRS feed

  • Question

  • Hi

    I am seeing this error all the time and not sure how to resolve this issue

    The server is Server 2016 Standard and is fully up to date.

    Please could you point me in the direction to resolve this issue as I need to be able to monitor this alert in case the threat is a real one. At the moment a real threat could be missed due to all the false alerts being reported.

    Below is the alert text we are getting

    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: ********$
    Account Domain: *******
    Logon ID: 0x3E7

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x2d8
    Caller Process Name: C:\Windows\System32\lsass.exe

    Network Information:
    Workstation Name: *********
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Schannel
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


    Tuesday, May 22, 2018 1:04 PM

All replies

  • Hi,

    This is a general user account audit event. This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.

    Logon Type 3 means a user or computer logged on to this computer from the network.

    Failure Reason: Unknown user name or bad password.

    Status 0xC000006D means this is either due to a bad username or authentication information

    Sub Status 0xC0000064 means user logon with misspelled or bad user account

    In general, we can identify the failed log on attempt via Workstation Name and Source Network Address, if both of them are empty, network capture tool such as Network Monitor can be considered. Based on event log time to find specific log on attempt package, analyzing the package and your will find more detail information. 

    4625(F): An account failed to log on.:
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 23, 2018 3:42 AM
    Moderator
  • Is it a computer account you have blanked out?

    Are there any duplicate DNS records for the IP Address this PC has?


    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Thursday, May 24, 2018 9:53 AM
    Moderator
  • The account is not one we created but a system account that is created by the system.

    The account works for other processes. It is just this process that it fails with.

    I have also seen it on other customers sites.

    There are no DNS issues being reported. It is also not a PC but is a server with Server 2016 installed.

    Thursday, May 24, 2018 10:04 AM
  • Hi,

    I want to confirm with you if you had enabled Essentials Experience server role? 

    Based on my personal experience, Essentials relate schedule task (Task Scheduler Library – Microsoft – Windows Server Essentials – Alert Evaluations) may causing similar event. If it is your case, try to disable this takes temporally and check the result.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 25, 2018 6:09 AM
    Moderator
  • Hi Eve

    I have made this change and will monitor over the weekend.

    Thanks for the tip

    Regards

    Andy

    Friday, May 25, 2018 9:52 AM
  • Hi,

    It’s my pleasure. 

    If there is anything else we can do for you, please feel free to let us know. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 28, 2018 8:32 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 4, 2018 1:53 AM
    Moderator
  • Hi Eve

    Made the changes that were suggested above. Still getting the same issue.

    This seems to be happening on all our SBS servers that on are different client sites

    Regards

    Andy


    Monday, June 4, 2018 1:28 PM
  • Hi,

    This is a by design behavior on Windows Server Essentials, including SBS and can be safely ignored. 

    You can confirm via below suggestion:
    1. Enable the CAPI2 logging by right-clicking Operational under the Event Viewer\Applications and Services Logs\Microsoft\Windows\CAPI2 and clicking on Enable Log.

    2. Then, confirm that if you can see Event ID 30 with source Microsoft-Windows-CAPI2 in the CAPI2 Operational log.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 5, 2018 10:06 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 11, 2018 1:41 AM
    Moderator
  • Hi,

    Is there any update?

    Please click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 13, 2018 1:31 AM
    Moderator
  • Hi

    We still have this issue on a number of client servers

    Regards

    Andy

    Wednesday, June 13, 2018 9:16 AM
  • We are having these exact same issues with all of our 2012 r2 and 2016 essential servers.  We can stop the events by disabling Health, Email and Management Services for WSE.  I enabled CAPI2 logging and I am getting Error 30s.   We have alerts on all our servers to make sure that we aren't getting hacked on our servers by having the failed logins.  I don't consider this "to be by design" to be acceptable response.  I haven't been able to find anything on the net on how to disable this.  It seems to be tied to when workstations are in the devices tab.  If we have no workstations in the devices tab the 4625 login failures go away.
    Friday, March 29, 2019 11:11 PM