none
Event 4625 help - svchost.exe and encrypted user name

    Question

  • I am getting tons of these errors everyday for the past weeks, all having the same account name. I tried decoding the name using base64 but it seems that it uses another encryption.  I really do not know what is going on because the process name is ssytem32/svchost.exe which contains manyy other processes and the logon type is using a batch file. i would really appreciate any help on what to look for next.

    - EventData
    SubjectUserSid S-1-5-18
    SubjectUserName ET01$
    SubjectDomainName WORKGROUP
    SubjectLogonId 0x3e7
    TargetUserSid S-1-0-0
    TargetUserName @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAcDA5AgNAADAzAgMAQDABBQLAkDA4AAOAIEAtAANAMDA4AgMA0CACBAOAkDAFBQLAcDAFBgRAkDAFBARAcDAGBQRAQEA1AQRA0HA
    TargetDomainName
    Status 0xc000006d
    FailureReason %%2313
    SubStatus 0xc0000064
    LogonType 4
    LogonProcessName Advapi
    AuthenticationPackageName Negotiate
    WorkstationName ET01
    TransmittedServices -
    LmPackageName -
    KeyLength 0
    ProcessId 0x120
    ProcessName C:\Windows\System32\svchost.exe
    IpAddress -
    IpPort -


    Wednesday, July 11, 2018 3:52 PM

All replies

  • hi,

    this issue is related to  reverse proxy. change the ath fro ntlm to basic .

    Best Regards

    • Proposed as answer by GINO ZUGER Tuesday, July 17, 2018 11:59 AM
    Wednesday, July 11, 2018 3:59 PM