locked
Event ID 4625 Null SID Guest account currently disabled RRS feed

  • Question

  • Hi,  I'm seeing several Audit failures with the event information below.  System is Window Server 2008 R2 in vitrual environment.  Basically the event states that the Guest account tried to access Windows explorer and the user account is disabled.  The system is in test at the moment and I'm the only one accessing the machine.   The guest account is disabled but I'm tring to figure out why the login attempts?

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          8/17/2013 5:36:04 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      NEWPRD.sorvive.com
    Description:
    An account failed to log on.

    Subject:
     Security ID:  NEWPRD\Administrator
     Account Name:  Administrator
     Account Domain:  NEWPRD
     Logon ID:  0x1245586

    Logon Type:   3

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  Guest
     Account Domain:  NEWPRD

    Failure Information:
     Failure Reason:  Account currently disabled.
     Status:   0xc000006e
     Sub Status:  0xc0000072

    Process Information:
     Caller Process ID: 0xce0
     Caller Process Name: C:\Windows\explorer.exe

    Network Information:
     Workstation Name: NEWPRD
     Source Network Address: -
     Source Port:  -

    Detailed Authentication Information:
     Logon Process:  Advapi 
     Authentication Package: Negotiate
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2013-08-17T21:36:04.587579800Z" />
        <EventRecordID>17342</EventRecordID>
        <Correlation />
        <Execution ProcessID="656" ThreadID="2812" />
        <Channel>Security</Channel>
        <Computer>NEWPRD.sorvive.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-2531602938-1099658101-1319544182-500</Data>
        <Data Name="SubjectUserName">Administrator</Data>
        <Data Name="SubjectDomainName">NEWPRD</Data>
        <Data Name="SubjectLogonId">0x1245586</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">Guest</Data>
        <Data Name="TargetDomainName">NEWPRD</Data>
        <Data Name="Status">0xc000006e</Data>
        <Data Name="FailureReason">%%2310</Data>
        <Data Name="SubStatus">0xc0000072</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">Advapi  </Data>
        <Data Name="AuthenticationPackageName">Negotiate</Data>
        <Data Name="WorkstationName">NEWPRD</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0xce0</Data>
        <Data Name="ProcessName">C:\Windows\explorer.exe</Data>
        <Data Name="IpAddress">-</Data>
        <Data Name="IpPort">-</Data>
      </EventData>
    </Event>

    Monday, August 19, 2013 3:00 PM

Answers

  • Hi,

    That must be not the remote computer attempt to logon your server, if it does and failure, the security log will log “Unknown username or bad password”.

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    It's by design. The core issue for the is that Network and Sharing Center wants to know whether the guest account is enabled for network access

    The similar thread:

    Event ID 4625 NULL SID
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/3e72765e-9fdd-425f-a7b4-1a78a651edc2/event-id-4625-null-sid

    Hope this helps.


    Alex Lv

    • Marked as answer by emanatl Friday, August 30, 2013 3:42 PM
    Tuesday, August 20, 2013 5:39 AM

All replies

  • Hi,

    That must be not the remote computer attempt to logon your server, if it does and failure, the security log will log “Unknown username or bad password”.

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    It's by design. The core issue for the is that Network and Sharing Center wants to know whether the guest account is enabled for network access

    The similar thread:

    Event ID 4625 NULL SID
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/3e72765e-9fdd-425f-a7b4-1a78a651edc2/event-id-4625-null-sid

    Hope this helps.


    Alex Lv

    • Marked as answer by emanatl Friday, August 30, 2013 3:42 PM
    Tuesday, August 20, 2013 5:39 AM
  • Thanks Alex,

    What I gather from this is that since the audit failure is from the local guess account and I understand that the guess account is disabled.  That more than likey it is the Network and Sharing Center wanting to know if the guess account is enabled.  Since I don't need to enable the guess account I don't have an issue.  Let me know if I am off base on this.

    Thanks,

    emanatl

    Thursday, August 22, 2013 4:29 PM
  • Base on my experience,  some application usually use the guest account to achieve some function, if you worry about the safety you can keep the disable or enable base on your practical application.

    Alex Lv

    Friday, August 23, 2013 2:27 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Regards.


    Alex Lv

    Monday, August 26, 2013 1:26 AM
  • Thanks Alex,  I'm good to go.
    Friday, August 30, 2013 3:43 PM
  • Hi,

    Security guys go after me for this with a lot of heat, but I finally found the reason for event 4625 on my  Windows 2008 R2 terminal server.

    The important things in the event are explorer.exe, guest, and logon type 3. I have other 4625 events but they are not the same.

    If I grant EVERYONE full control to a folder, I get event 4625 every time a user opens that folder or a document from that folder using Explorer.

    I use local group Users with modify permission instead of EVERYONE, then I am ok without that 4625, even Guest is a member of Users group.

    Hope this help those troubled by the same problem.

    • Proposed as answer by jxxx Tuesday, August 4, 2015 3:34 PM
    Thursday, January 15, 2015 9:21 PM
  • Hi jwangjw,

    thanks for your sharing!

    My issue is exactly the same as yours.

    after remove EVERYONE from my folder, everything work perfect!!

    Tuesday, August 4, 2015 3:39 PM
  • Good info. I was watching my logs more carefully due to another issue.

    Glad you found at least one reason this event appears.  Is valid and good shared information.

    Thanks


    Al Coberly

    Tuesday, December 22, 2015 9:06 AM
  • Hi Alex,

    I find a similar issue today. Only 3 folders are shared, C:\Windows, C:\ and C:\Users. When i check the security of these 3 folders, only C:\Users has the EVERYONE account, but without Full Control. Instead, it is only granted 3 permissions, Read&Execute, List and Read.

    May i know if any missing for my investigation?

    Object:

                    Object Server:                        Security

                    Object Type:                          File

                    Object Name:                        C:\Windows\System32\StorageMgmt.msc

                    Handle ID:                              0x0

    Process Information:

                    Process ID:                             0x1c8

                    Process Name:                      C:\Windows\System32\mmc.exe

    Thanks.

    Sarah

    Thursday, November 10, 2016 6:33 AM
  • Another case is as below.

    An Audit Failure incurs with event ID 4625 today. The Caller Process Name is C:\Windows\explorer.exe. Task Category is Logon.

    I check all the share folders on this pc, but none of them has EVERYONE account with Full Control. Instead, Some folders have EVERYONE account with partial permission, such as RE, List and Read.

    May i know if any other possible reason for this failure?

    Thanks.

    Sarah

    Thursday, November 10, 2016 6:51 AM
  • Hi Jwangjw,

    Thank you!

    Thursday, September 7, 2017 4:06 PM