Server 2008 R2, event ID 4625 error with logon type 10


  • Hello,

    We have a client who has a 2008 R2 server that is getting a lot of security audit logs (event id 4625). What's ominous is that the userid listed is "user32." Not sure if this is a potential security attack or not. Some people access this server because it's a Microsoft Dynamics SL server and they would access it using RDP. See the error log below. Thanks!


    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          11/5/2011 8:25:52 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    An account failed to log on.

     Security ID:  SYSTEM
     Account Name:  SERVERNAME$
     Account Domain:  DOMAIN
     Logon ID:  0x3e7

    Logon Type:   10

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  a
     Account Domain: SERVERNAME

    Failure Information:
     Failure Reason:  Unknown user name or bad password.
     Status:   0xc000006d
     Sub Status:  0xc0000064

    Process Information:
     Caller Process ID: 0x110c
     Caller Process Name: C:\Windows\System32\winlogon.exe

    Network Information:
     Workstation Name: SERVERNAME
     Source Network Address:
     Source Port:  2034

    Detailed Authentication Information:
     Logon Process:  User32
     Authentication Package: Negotiate
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0


    Monday, November 14, 2011 8:59 PM


All replies