question

VincentHii-1827 avatar image
1 Vote"
VincentHii-1827 asked Prince-1254 answered

Strange type of windows failed authentication security event log ID 4625

Has anyone seen this specific type of event 4625? Not much info as to the source and it has been happening a fair bit lately on a few servers and they are constant (a block of around 5 same events every few minutes).

In summary:
Status: 0xC000006D
Sub Status: 0x0
Logon type: 3 (Network (i.e. connection to shared folder on this computer from elsewhere on network)

The usual online searches has lead to nothing conclusive.

The eventlog in detail:


An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [computer-name]$
Account Domain: [domain-name]
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hi,
 
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

If there are any updates, welcome to share here!

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

Regarding some NTLM authentication events, workstations, or caller process parts may be blank in some cases.

The following methods can help you find the caller process or source network address:

If the frequency of events is high, you can consider using network monitor or process monitor tools. Open the tool and reproduce the problem, the processes will be recorded.

You can open the netlogon debug log, if the problem reproduces, it will be recorded in the log.

Regarding enabling debug log, use the following command

nltest /dbflag:0x2080ffff

Once the issue reproduced, turn off the log with the following command

nltest /dbflag:0x0

The NetLogon logging level is stored in the following registry value:

HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag

The location of the debug log is: %SYSTEMROOT%\debug\Netlogon.log

Due to the security reason, the logs analysis is not supported here!
But if you find clues, you can share a screenshot here! (Please hide the private information)

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Prince-1254 avatar image
1 Vote"
Prince-1254 answered

Hi All,

Even I'm facing exactly the same problem.

I would be glad if someone from Microsoft could explain.

Thank you.



An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: WEBCAM
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 181.214.206.146
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.



An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TJACKSON
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 181.214.206.146
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.