Forum

Ultimate Windows Security Forum » Security Log » 4625 - An account failed to log on » Non Descriptive field for Failure Reason in...

Non Descriptive field for Failure Reason in...

Rate Topic

Display Mode

Topic Options

Author

Message

chamarts

Posted 5/3/2009 1:57:24 PM

Forum Newbie

Group: Forum Members
Last Login: 8/7/2009 11:46:33 AM
Posts: 8, Visits: 9

Hi,

As per the documentation on your website, the failure reason for 4625 event should be a descriptive field. Where as in the event log on Windows 2008 server, I could see the value like this , FailureReason = "%%2309", just wondering how do Interpret this binary to description ?

And also I have similar problem with 4656 event, where the "ACCESSES" were descriptive in documentation where as the event log shows its binary value like "%%1553"

Could you pls. clarify this for us ???

thx
Srinivas Chamarthi

Post #87

RandyFranklinSmith

Posted 5/5/2009 4:32:17 AM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326, Visits: 0

Is it possible to post a copy of the entire event? Also what version and Windows and what language or is it a multi-language edition?

Post #88

chamarts

Posted 7/26/2009 10:58:03 PM

Forum Newbie

Group: Forum Members
Last Login: 8/7/2009 11:46:33 AM
Posts: 8, Visits: 9

I found out that the issue is with our application collecting the windows events is adding these binary values. Windows event log shows up fine with right values.

Post #150

chamarts

Posted 7/27/2009 3:55:07 AM

Forum Newbie

Group: Forum Members
Last Login: 8/7/2009 11:46:33 AM
Posts: 8, Visits: 9

sorry to contractdict myself here, actually its giving binary values for accesses but I need to correlate with descriptions mentioned here http://my.opera.com/Lee_Harvey/blog/2008/10/14/microsoft-windows-security-audit-event-accesses-ids

Post #151

RandyFranklinSmith

Posted 7/27/2009 7:00:06 PM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326, Visits: 0

As far as this event, 4625, you won't be able to correlate it to that list because you are comparing apples and oranges. The codes listed at that site have to do with access control. The event ID 4625 is not access control - it's logon/loggoff.

To help you, I'll really need some sample events.

Post #153

chamarts

Posted 7/28/2009 8:58:30 AM

Forum Newbie

Group: Forum Members
Last Login: 8/7/2009 11:46:33 AM
Posts: 8, Visits: 9

right, I gave that reference for 4656 event

Post #155

K5Blazer

Posted 11/25/2009 1:36:09 PM

Forum Newbie

Group: Forum Members
Last Login: 11/25/2009 1:24:06 PM
Posts: 1, Visits: 0

The %%2309 type failure reason codes come from the xml of the event. at some point windows is doing something to translate those encoded values into String values:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2009-11-25T17:38:52.390Z" />
    <EventRecordID>25860330</EventRecordID>
    <Correlation />
    <Execution ProcessID="604" ThreadID="692" />
    <Channel>Security</Channel>
    <Computer></Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid"></Data>
    <Data Name="SubjectUserName"></Data>
    <Data Name="SubjectDomainName"></Data>
    <Data Name="SubjectLogonId"></Data>
    <Data Name="TargetUserSid"></Data>
    <Data Name="TargetUserName"></Data>
    <Data Name="TargetDomainName"></Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">10</Data>
    <Data Name="LogonProcessName">User32 </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName"></Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xeb8</Data>
    <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
    <Data Name="IpAddress"></Data>
    <Data Name="IpPort"></Data>
</EventData>
</Event>

Post #280

Braino

Posted 4/14/2010 8:14:55 PM

Expert from Quest Software

Group: Forum Members
Last Login: 2/11/2012 12:15:37 AM
Posts: 15, Visits: 8

Hi K5Blazer -

This is probably a dead topic, but the value you are looking at is a localized value. This means that the number is translated to a descriptive phrase depending on what language you installed on windows.

I'm not sure what 2309 is, but 2313 is something like "Unknown Username or Bad Password"

- in english at least...! Wink

If you look at this in windows 2008 event viewer it will translate for you. I went digging around on the internet and could not find a good cross-reference. Maybe something to compile or something to ask MS for. Tongue

Anyway, hope this helps!

Post #352

RandyFranklinSmith

Posted 8/28/2010 6:35:19 PM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326, Visits: 0

thanks, Braino

Post #450

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 9:52am

Upcoming Webinars

AD Audits: Top 7 Questions to Answer When Auditors Look at Account Management and Access Control in Active Directory

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.