UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 4625 - An account failed to log on

Status 0xc0000225

markyel — Wed, 01 Feb 2012 18:02:44 GMT

I found a scenario that generated a failure audit for Event 4625 using NTLM with excerpt as follows:

Failure Reason: An Error occured during Logon.

Status: 0xc0000225

Sub Status: 0x0

This occurred attempting to connect a CIFS mount from Red-Hat Linux to Windows Server 2008 R2. The mount had worked in Server 2003 but failed on 2008 R2. I discovered the following registry hotfix that addresses the issue which I confirmed with a network trace was exactly as described in KB 957441:

Client connections return a "STATUS_INVALID_PARAM" error code when you use a "Send NTLMv2 response only" authentication level in Windows Server 2008 or in Windows Vista

http://support.microsoft.com/kb/957441

In this case the status seems to be a generic indicator of "something is wrong with the NTLM negotiation."

4625 for a workstation name

okvol — Fri, 06 Jan 2012 16:57:00 GMT

From the event log:
Account is 10THCONFROOM$
In the expanded text, I see: Security ID: S-1-0-0 Account Name: 10THCONFROOM$

What is up with invalid logins for a workstation?

7000 NULL SID 4625's in 3 Days

deeblock — Thu, 22 Dec 2011 01:37:45 GMT

Server 2008 R2, over 7000 NULL SID Event ID 4625's in the last 3 days, none before that, with Source IPs in Greece, France, Switzerland, Croatia, Chicago picked at random from log. Using ports in the 55,000s, some below port 5000. Account names range from Administrator to BESAdmin to user5 etc. No BESAdmin or user5 around these parts. Kinda creepy, how concerned should I be?

Thanks

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: SERVER1$
Account Domain: MYDOMAIN
Logon ID: 0x3e7

Logon Type: 10

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: BESAdmin
Account Domain: SERVER1

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x12f0
Caller Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: SERVER1
Source Network Address: 94.230.215.228
Source Port: 53535

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: SERVER1$
Account Domain: MYDOMAIN
Logon ID: 0x3e7

Logon Type: 10

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin2
Account Domain: SERVER1

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0xa00
Caller Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: SERVER1
Source Network Address: 79.247.123.109
Source Port: 49348

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: SERVER1$
Account Domain: MYDOMAIN
Logon ID: 0x3e7

Logon Type: 10

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user5
Account Domain: SERVER1

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x860
Caller Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: SERVER1
Source Network Address: 188.129.87.175
Source Port: 60163

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Failure Reason: Unknown user name or bad password Status: 0xc000006d

n5eea — Wed, 07 Dec 2011 10:51:08 GMT

We are constantly receiving event log errors that the authenticated account we use with Arcserve has a bad password or something. I have 10 servers with Arcserve installed on it and 5 of them are reporting this error at the top of every hour. They all use the same authentication account.

12/07/2011 09:00:34 AMLogName=SecuritySourceName=Microsoft Windows security auditing.

EventCode=4625

EventType=0

Type=Information

ComputerName=SERVERDC3.OurDomain.local

TaskCategory=Logon

OpCode=Info

RecordNumber=70984967

Keywords=Audit Failure

Message=An account failed to log on.

Subject:

Security ID:S-1-5-18

Account Name:SERVERC3$

Account Domain:	OurDomain

Logon ID:0x3e7

Logon Type:4

Account For Which Logon Failed:

Security ID: S-1-0-0

Account Name:causer

Account Domain:	SERVERDC3

Failure Information:

Failure Reason:	Unknown user name or bad password.

Status:	0xc000006d

Sub Status: 0xc0000064

Process Information:

Caller Process ID: 0x1434

Caller Process Name:	C:\Program Files\CA\SharedComponents\ARCserve Backup\UniAgent\UnivAgent.exe

Network Information:

Workstation Name:	SERVERDC3

Source Network Address:	-

Source Port:		-

Detailed Authentication Information:

Logon Process:		Advapi

Authentication Package:	Negotiate

Transited Services:	-

Package Name (NTLM only):	-

Key Length:	0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon.

This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated.

Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

	- Transited services indicate which intermediate services have participated in this logon request.

	- Package name indicates which sub-protocol was used among the NTLM protocols.

	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

=====

next error for the same server:

12/07/2011 09:00:34 AM

LogName=SecuritySource

Name=Microsoft Windows security auditing.

EventCode=4776

EventType=0

Type=Information

ComputerName=SERVERDC3.OurDomain.local

TaskCategory=Credential Validation

OpCode=Info

RecordNumber=70984966

Keywords=Audit

FailureMessage=The computer attempted to validate the credentials for an account.

Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account:	causer

Source Workstation:	SERVERDC3

Error Code:	0xc0000064

We have multiple servers with Arcserve, this error is occuring on a number of the servers, but not all of them.

The account used is a domain authenticated account and is used for all the servers with Arcserve installed. So we're trying to identify

why this error is occuring.

Version of ARCserve and OS:

OS is Windows server 2008 R2 with SP1, Arcserve version is 15R build 6222

Any suggestions are appreciated.

Roger

0xc0000006d in Event 4625

markyel — Mon, 01 Aug 2011 12:52:48 GMT

Hi Randy,

You mention in the wiki for Event 4625 that 0xc0000006d "seems to be caused by system problems and non-security related." I'm not sure what this means. In Microsoft documentation, this code is stated as an attempted logon that is invalid due to bad username. Are you saying that you find this to be inaccurate/invalid for the new Vista and higher Event 4625 entries?

Many thanks.

Confusion between Status and Substatus codes

gurrapu.praveen — Fri, 14 Oct 2011 07:52:52 GMT

Dear Randy,

In the encyclopedia article on the event 4625, the first column of the table says 'Status and Sub status codes'. But, Status and Substatus have different values. I have observed this for wrong password event on a Windows 2008 machine. Please refer to the attached screen shot.

The value of Status is 0xc000006d and Sub Status is 0xc000006a.

So, in the encyclopedia article, are your referring to Sub Status codes for all the cases?

Thanks,

Praveen

Wierd logs in a reghosted image of Windows 2008 R2 server

gurrapu.praveen — Tue, 30 Aug 2011 09:53:40 GMT

Hi,

I have a Windows 2008 R2 Server machine which is reghosted from an image. It logs audit log events with Event ID: 4625, Sub-status code: 0xc0000064 and Event Type: 3. It logs these events at a frequency of atleast 10 events per minute. Is there any way to suppress these events?

Also, I am trying to generate a failed logon event on that machine. But, when I enter wrong credentials and check the event log, I don't find any event with Event Type 2.

Thank you in advance.

Regards,
Praveen

Event ID 4625 and NULL SID with 0xc000006d

jwalzer — Thu, 24 Feb 2011 10:32:53 GMT

Randy,

I'm seeing the following events:

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: computername$
Account Domain: Domainname

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0

Something to worry about, or noise?

Thx,
Jeff

4625 with Different Account Identifiers

RCThompson — Tue, 07 Jun 2011 10:50:57 GMT

Any idea what this means? I'm seeing 4625 errors on some of our 2008R2 servers where the Subject account is one of our administrators and the Account For Which Logon Failed is the disabled Guest account. Most of the erros reference C:\Windows\explorer.exe but some reference the mmc.exe or printgui.exe. And the errors appear to be a recurring series; not a lot but ten or twelve every day, and generally , but not always, in the afternoon hours.

Thanks,

Ralph

--------

An account failed to log on.

Subject:

Security ID: XXXXXX\admin-zzzzzzzzz

Account Name: admin-zzzzzzzz

Account Domain: XXXXXX

Logon ID: 0x6dff9927

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: Guest

Account Domain: YYYYY_FP

Failure Information:

Failure Reason: Account currently disabled.

Status: 0xc000006e

Sub Status: 0xc0000072

Process Information:

Caller Process ID: 0xce4

Caller Process Name: C:\Windows\explorer.exe

Network Information:

Workstation Name: YYYYY_FP

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event ID 4625 and Code 0xc00002ee

alex.fischer — Mon, 22 Nov 2010 05:53:17 GMT

Hi, I got event ID 4624 with Code 0xc00002ee (infrastructure: 2 DC's both Windows Server 2008). Can you tell me, what 0xc00002ee mean?

Thanks in advance.

Alex

Event ID 4625 Not Being Logged For Failed RDP Attempts

awf — Wed, 08 Sep 2010 11:36:31 GMT

I am looking to audit failed RDP login attempts on the servers in my domain. When a login fails, I see an event logged in the Security Log on the domain controller (Event ID 4771), but there is no corresponding failure event logged in the Security Log on the server I am trying to RDP to. Shouldn't I see a 4625 event with a LogonType of 10?

(Note: Failed interactive logins (Type =2) are being logged correctly for workstation logins, both locally and to the domain, as are workstation unlocks (Type =7).)

Configuration:

- Windows 2008 domain controller (mixed-mode)
- Server trying to RDP to: Windows 2008
- Workstation attempting from: Windows 7

Non Descriptive field for Failure Reason in Win2008

chamarts — Sun, 03 May 2009 13:57:24 GMT

Hi,

As per the documentation on your website, the failure reason for 4625 event should be a descriptive field. Where as in the event log on Windows 2008 server, I could see the value like this , FailureReason = "%%2309", just wondering how do Interpret this binary to description ?

And also I have similar problem with 4656 event, where the "ACCESSES" were descriptive in documentation where as the event log shows its binary value like "%%1553"

Could you pls. clarify this for us ???

thx
Srinivas Chamarthi

Failure information for old 534.

mdstevens — Tue, 16 Feb 2010 10:24:17 GMT

Hi I am looking for the Status and Sub Status for failed logins similar to the old 534 messages: 534: Logon Failure - The user has not been granted the requested logon type at this machine. Has anyone come across this yet? I am assuming they would come under 4625?

Thanks

Mark

Fails with Status: 0xc00000bb

Eriksson — Fri, 24 Apr 2009 04:00:22 GMT

Hi,

Thanx for valuable info in your post. However I managed to get this problem with a for me unkown Status value: 0xc00000bb.

Here's some info from the eventlog, maybe you can guide me further.

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator@pbslab2.local
Account Domain:

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc00000bb
Sub Status: 0x0

My environment is as follows:

Windows Server 2003 as Domain Controller
Windows Server 2008 running root CA (active directory certificate services)

I managed to issue a smart card user certificate for the domain administrator and store it on a Gemalto .NET v2+ smart card. When trying to logon to the ws2008 as domain adminstrator I get the error mentioned above.

I read here
http://msmvps.com/blogs/sp/archive/2007/06/02/smart-card-logon-error-0xc00000bb.aspx
that it could be a missing certificate on the AD but I do have it.

Any ideas?

Cheers

/Håkan Eriksson