Unable to track down 4625 events occurring... Expand / Collapse
Posted 3/24/2020 11:17:26 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/2/2020 4:15:49 PM
Posts: 1, Visits: 17
Wkst1 is a Win10 workstation. Every day I get a 4625 event on Wkst1 at 7:03AM. They are in the same network and they are part of the same workgroup. Svr1 is a Win Server 2019. Here is the General Details info from Wkst1 of the event:

Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: Svr1

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: Svr1
Source Network Address: fe80::a8f4:2e35:8b84:1297
Source Port: 58739

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

I have looked at various netstats with diff parameters on both computers, but nothing.
There are no scheduled tasks on Svr1 or Wkst1.
There is no DC or AD on Svr1.
I looked thru other parts in the Event Viewer on both computers, but nothing.
There are no apps running on Svr1.
The only function of Svr1 right now is performing backups of 2 VMs on another server using Veeam B/u and Rep.
There are no processes running or people using Wkst1. It sits idle most of the time.

Can anyone provide some direction on where to look for this?
Is there some add'l logging that can be enabled?
Which direction does this event indicate? a process or person on Svr1 trying to logon to Wkst1 or in the opposite direction?
Either way, there should not be any logon from one to the other.
Post #8625
« Prev Topic | Next Topic »

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:22am