locked
Failed logins in event log RRS feed

  • Question

  • Hi

    I'm seeing loads of failed logins on one of our boxes. About 3 a second. The event logs show that it's a bad username originating from the server itself. I've checked for services with bad details but none are there. 

    Any idea how to find out what might be doing it?

    *********************

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          14/11/2016 17:33:48
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      SERVER.MYDOMAIN.local
    Description:
    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: SERVER$
    Account Domain: MYDOMAIN
    Logon ID: 0x3E7

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x2e8
    Caller Process Name: C:\Windows\System32\lsass.exe

    Network Information:
    Workstation Name: SERVER
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Schannel
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    Tuesday, November 15, 2016 9:25 AM

All replies

  • Hi Oliver,

    >>The event logs show that it's a bad username originating from the server itself

    What is the method of logon that you used?

    Please restart services and server, and try again.

    Please check the case below and you could try to fix issue by following it:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d32a71a5-1c77-4040-93dd-b433cbf14a45/troubleshooting-event-id-4625-on-windows-2008-r2-domain-controller?forum=winserversecurity

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by John Lii Wednesday, November 16, 2016 4:10 AM
    Wednesday, November 16, 2016 2:44 AM
  • Hi,

    could be a service, that's logon details are set to account info that's changed.

    are there any services that aren't starting up, due to bad login?

    cheers.


    Kind Regards, Darren Coetzee * Don't forget to mark as Answered if you found this post helpful. *

    Wednesday, November 16, 2016 4:09 AM
  • Please check below article too if it helps you to resolve the issue - https://www.petenetlive.com/KB/Article/0001209
    Wednesday, November 16, 2016 7:14 AM
  • Thanks all

    The source of the logins is the server itself. There aren't any services logging on which are using a bad password. I've checked each service using a dedicated logon and re-entered the passwords. They all seem fine. 

    That's why I'm keen to look at other ways of finding out what might be causing it. 

    Is there any advanced logging I can enable? Any way to find what process it might be if not a service?

    Olly

    Wednesday, November 16, 2016 1:53 PM
  • Or if this is essentials it might be "Alert Evaluations" as cause. I'd ask them here about best course of action.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserveressentials

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, November 16, 2016 3:12 PM
  • HI Dave

    It is Essentials actually. I didn't mention it as I didn't think it would make a difference.

    I'll read that over.

    Olly

    Thursday, November 17, 2016 4:48 PM