ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Security analyst monitoring Windows Event ID 4625 failed logon events in a cybersecurity operations center
Event ID 4625InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting brute force attacks, credential issues, and unauthorized access attempts across domain and local accounts.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
17 March 202612 min read 0
Event ID 4625Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4625 represents one of the most critical security events in Windows logging infrastructure. Generated by the Microsoft-Windows-Security-Auditing provider, this event captures comprehensive details about every failed authentication attempt on the system. The event structure includes over 20 fields providing forensic-quality information about the failed logon attempt.

The event triggers for multiple logon types: interactive desktop logons (Type 2), network logons (Type 3), batch logons (Type 4), service logons (Type 5), and remote desktop sessions (Type 10). Each logon type provides different context clues about the attack vector or authentication issue. Network logons often indicate lateral movement attempts, while interactive logons suggest physical or console access attempts.

Windows 2026 updates have enhanced 4625 events with improved source IP tracking and better integration with Windows Defender for Endpoint. The failure reason codes have been expanded to provide more granular detail about authentication failures, particularly for cloud-hybrid scenarios and certificate-based authentication failures.

The event's Sub Status field contains specific error codes that map to exact failure reasons: 0xC0000064 (user name does not exist), 0xC000006A (incorrect password), 0xC0000072 (account disabled), and 0xC0000193 (account expired). These codes enable automated response systems to differentiate between credential attacks and legitimate account issues.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Brute force password attacks - Automated tools attempting multiple password combinations against user accounts
  • Incorrect password entry - Users typing wrong passwords during legitimate logon attempts
  • Disabled or locked user accounts - Authentication attempts against accounts that have been administratively disabled or automatically locked
  • Expired user credentials - Logon attempts with passwords that have exceeded the maximum password age policy
  • Network authentication failures - SMB, RDP, or other network service authentication issues due to connectivity or configuration problems
  • Service account credential issues - Windows services failing to authenticate with outdated or incorrect service account passwords
  • Domain trust relationship problems - Authentication failures when domain trust relationships are broken or misconfigured
  • Time synchronization issues - Kerberos authentication failures due to clock skew between client and domain controller
  • Certificate-based authentication failures - Smart card or certificate logon attempts with expired, revoked, or invalid certificates
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific failure details in Event Viewer to understand the authentication failure context.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4625 using Filter Current LogEvent IDs: 4625
  3. Double-click a 4625 event to view detailed information
  4. Check the Failure Reason field for the specific error description
  5. Note the Sub Status code to identify the exact failure type:
    • 0xC0000064 - The specified user does not exist
    • 0xC000006A - The value provided as the current password is not correct
    • 0xC0000072 - The referenced account is currently disabled
    • 0xC0000193 - The referenced account has expired
    • 0xC0000234 - The referenced account is currently locked out
  6. Review the Logon Type to understand the authentication method:
    • Type 2 - Interactive (console logon)
    • Type 3 - Network (accessing shared resources)
    • Type 10 - RemoteInteractive (RDP/Terminal Services)
  7. Check Source Network Address to identify the origin of failed attempts
Pro tip: Sort events by Source Network Address to quickly identify potential brute force attacks from specific IP addresses.
02

Use PowerShell to Query and Analyze Failed Logons

PowerShell provides powerful filtering and analysis capabilities for investigating 4625 events across multiple systems.

  1. Query recent failed logon attempts:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  2. Filter failed logons by specific user account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Where-Object {$_.Message -like "*TargetUserName*"} | Select-Object TimeCreated, Message
  3. Identify potential brute force attacks by counting failures per source IP:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)}
$Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        Account = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        SourceIP = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
        FailureReason = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubStatus'} | Select-Object -ExpandProperty '#text'
    }
} | Group-Object SourceIP | Sort-Object Count -Descending
  4. Export failed logon events for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-7)} | Export-Csv -Path "C:\Temp\FailedLogons.csv" -NoTypeInformation
  5. Check for account lockout patterns:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Where-Object {$_.Message -like "*0xC0000234*"} | Select-Object TimeCreated, Message
Warning: Large Security logs can impact PowerShell performance. Use time filters and -MaxEvents parameter to limit query scope.
03

Configure Advanced Audit Policies for Better Detection

Ensure proper audit policy configuration to capture all relevant failed logon events and enhance security monitoring.

  1. Check current audit policy settings:
    auditpol /get /category:"Logon/Logoff"
  2. Enable detailed logon failure auditing:
    auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
  3. Configure Group Policy for domain-wide audit settings:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand Audit PoliciesLogon/Logoff
    • Configure Audit Logon to Success and Failure
    • Configure Audit Account Lockout to Success and Failure
  4. Verify audit policy application:
    gpresult /h C:\Temp\GPResult.html
# Review Applied Group Policy Objects section
  5. Test audit policy by generating a controlled failed logon:
    # From command prompt (will fail intentionally)
runas /user:nonexistentuser cmd
  6. Configure Security log size to handle increased event volume:
    • Open Event ViewerWindows LogsSecurity
    • Right-click SecurityProperties
    • Set Maximum log size to at least 100 MB
    • Configure When maximum log size is reached to Archive the log automatically
Pro tip: Enable "Audit Special Logon" to track administrative and service account usage patterns alongside failed logons.
04

Implement Automated Monitoring and Alerting

Set up automated detection systems to identify and respond to suspicious failed logon patterns in real-time.

  1. Create a PowerShell script for continuous monitoring:
    # Save as Monitor-FailedLogons.ps1
param(
    [int]$ThresholdCount = 5,
    [int]$TimeWindowMinutes = 10
)

$StartTime = (Get-Date).AddMinutes(-$TimeWindowMinutes)
$FailedLogons = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4625
    StartTime=$StartTime
} -ErrorAction SilentlyContinue

if ($FailedLogons) {
    $GroupedByIP = $FailedLogons | ForEach-Object {
        $XML = [xml]$_.ToXml()
        [PSCustomObject]@{
            SourceIP = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
            Account = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        }
    } | Group-Object SourceIP
    
    foreach ($Group in $GroupedByIP) {
        if ($Group.Count -ge $ThresholdCount) {
            Write-Warning "ALERT: $($Group.Count) failed logons from $($Group.Name) in last $TimeWindowMinutes minutes"
            # Add email notification or SIEM integration here
        }
    }
}
  2. Schedule the monitoring script using Task Scheduler:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-FailedLogons.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "Monitor Failed Logons" -Action $Action -Trigger $Trigger -Settings $Settings -RunLevel Highest
  3. Configure Windows Event Forwarding for centralized monitoring:
    • On collector server, enable WinRM:
      winrm quickconfig -y
wecutil qc
    • Create subscription configuration file:
      <?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>FailedLogons</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward Event ID 4625 from domain computers</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <Query><![CDATA[<QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4625)]]</Select></Query></QueryList>]]></Query>
</Subscription>
    • Create the subscription:
      wecutil cs C:\Config\FailedLogons.xml
  4. Integrate with Microsoft Sentinel or third-party SIEM:
    • Install Azure Monitor Agent on domain controllers
    • Configure Security Events data connector in Sentinel
    • Create analytics rules for failed logon detection
Warning: High-volume environments may generate thousands of 4625 events. Implement log rotation and archival strategies to prevent disk space issues.
05

Advanced Forensic Analysis and Response

Perform deep forensic analysis of failed logon events to identify attack patterns and implement targeted countermeasures.

  1. Extract detailed forensic data using advanced PowerShell techniques:
    # Advanced 4625 analysis script
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)}
$DetailedAnalysis = foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = @{}
    $XML.Event.EventData.Data | ForEach-Object {
        $EventData[$_.Name] = $_.'#text'
    }
    
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        TargetUserName = $EventData.TargetUserName
        TargetDomainName = $EventData.TargetDomainName
        WorkstationName = $EventData.WorkstationName
        IpAddress = $EventData.IpAddress
        IpPort = $EventData.IpPort
        LogonType = $EventData.LogonType
        LogonProcessName = $EventData.LogonProcessName
        AuthenticationPackageName = $EventData.AuthenticationPackageName
        FailureReason = $EventData.FailureReason
        Status = $EventData.Status
        SubStatus = $EventData.SubStatus
        ProcessName = $EventData.ProcessName
        KeyLength = $EventData.KeyLength
    }
}

# Analyze attack patterns
$DetailedAnalysis | Group-Object IpAddress | Sort-Object Count -Descending | Select-Object Name, Count, @{n='UniqueAccounts';e={($_.Group | Select-Object -Unique TargetUserName).Count}}
  2. Correlate with other security events for timeline analysis:
    # Correlate 4625 with successful logons (4624) and account lockouts (4740)
$TimeRange = @{StartTime=(Get-Date).AddHours(-2); EndTime=Get-Date}
$FailedLogons = Get-WinEvent -FilterHashtable (@{LogName='Security'; Id=4625} + $TimeRange)
$SuccessfulLogons = Get-WinEvent -FilterHashtable (@{LogName='Security'; Id=4624} + $TimeRange)
$AccountLockouts = Get-WinEvent -FilterHashtable (@{LogName='Security'; Id=4740} + $TimeRange)

# Create timeline of events
$AllEvents = @($FailedLogons + $SuccessfulLogons + $AccountLockouts) | Sort-Object TimeCreated
$AllEvents | Select-Object TimeCreated, Id, @{n='EventType';e={switch($_.Id){4625{'Failed Logon'};4624{'Successful Logon'};4740{'Account Lockout'}}}}, Message
  3. Implement IP address reputation checking:
    # Check suspicious IPs against threat intelligence
$SuspiciousIPs = $DetailedAnalysis | Group-Object IpAddress | Where-Object {$_.Count -gt 10} | Select-Object -ExpandProperty Name

foreach ($IP in $SuspiciousIPs) {
    if ($IP -and $IP -ne '-' -and $IP -ne '::1' -and $IP -ne '127.0.0.1') {
        try {
            $GeoLocation = Invoke-RestMethod -Uri "http://ip-api.com/json/$IP" -TimeoutSec 5
            Write-Host "IP: $IP - Country: $($GeoLocation.country) - ISP: $($GeoLocation.isp)" -ForegroundColor Yellow
        } catch {
            Write-Host "IP: $IP - Geolocation lookup failed" -ForegroundColor Red
        }
    }
}
  4. Generate comprehensive security report:
    # Generate detailed security report
$Report = @"
=== Failed Logon Analysis Report ===
Generated: $(Get-Date)
Time Range: Last 24 hours

Summary:
- Total Failed Logons: $($DetailedAnalysis.Count)
- Unique Source IPs: $(($DetailedAnalysis | Select-Object -Unique IpAddress).Count)
- Unique Target Accounts: $(($DetailedAnalysis | Select-Object -Unique TargetUserName).Count)

Top 10 Source IPs by Failed Attempts:
$($DetailedAnalysis | Group-Object IpAddress | Sort-Object Count -Descending | Select-Object -First 10 | Format-Table Name, Count -AutoSize | Out-String)

Top 10 Targeted Accounts:
$($DetailedAnalysis | Group-Object TargetUserName | Sort-Object Count -Descending | Select-Object -First 10 | Format-Table Name, Count -AutoSize | Out-String)

Failure Reason Distribution:
$($DetailedAnalysis | Group-Object SubStatus | Sort-Object Count -Descending | Format-Table Name, Count -AutoSize | Out-String)
"@

$Report | Out-File -FilePath "C:\Temp\FailedLogonReport_$(Get-Date -Format 'yyyyMMdd_HHmm').txt"
  5. Implement automated response actions:
    # Automated response for high-risk scenarios
$HighRiskIPs = $DetailedAnalysis | Group-Object IpAddress | Where-Object {$_.Count -gt 20}

foreach ($RiskIP in $HighRiskIPs) {
    if ($RiskIP.Name -and $RiskIP.Name -notmatch '^(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.)') {
        Write-Warning "High-risk IP detected: $($RiskIP.Name) with $($RiskIP.Count) failed attempts"
        
        # Add Windows Firewall rule to block IP
        try {
            New-NetFirewallRule -DisplayName "Block Brute Force IP $($RiskIP.Name)" -Direction Inbound -RemoteAddress $RiskIP.Name -Action Block -Protocol TCP
            Write-Host "Firewall rule created to block $($RiskIP.Name)" -ForegroundColor Green
        } catch {
            Write-Error "Failed to create firewall rule for $($RiskIP.Name): $($_.Exception.Message)"
        }
    }
}
Pro tip: Combine 4625 analysis with network traffic analysis and endpoint detection tools for comprehensive attack visibility.

Overview

Event ID 4625 fires whenever a logon attempt fails on a Windows system. This security audit event captures detailed information about unsuccessful authentication attempts, including the account name, source workstation, logon type, and failure reason. The event appears in the Security log and requires audit policy configuration to generate.

This event serves as your primary detection mechanism for credential-based attacks, account lockouts, and authentication issues. Windows generates 4625 events for various scenarios: incorrect passwords, disabled accounts, expired credentials, network authentication failures, and interactive logon problems. Each event contains specific failure codes that pinpoint the exact reason for authentication failure.

Security teams rely on 4625 events to identify brute force attacks, especially when multiple failures occur from the same source IP or against the same account. The event provides forensic details including timestamp, source network address, authentication package used, and the specific Windows logon process involved. Modern threat detection systems parse these events to build attack timelines and identify compromised credentials.

Frequently Asked Questions

What does Event ID 4625 mean and when should I be concerned?+
Event ID 4625 indicates a failed logon attempt on your Windows system. You should be concerned when you see multiple 4625 events from the same source IP address within a short timeframe (typically 5+ failures in 10 minutes), which often indicates a brute force attack. Also watch for failures against administrative accounts, service accounts, or patterns targeting multiple user accounts sequentially. Single isolated 4625 events are usually normal user errors, but clusters of failures warrant immediate investigation.
How can I differentiate between legitimate user errors and malicious attacks in 4625 events?+
Legitimate user errors typically show sporadic 4625 events from known internal IP addresses with Sub Status 0xC000006A (wrong password) during business hours. Malicious attacks exhibit patterns like: rapid sequential failures from external IPs, targeting non-existent accounts (Sub Status 0xC0000064), attempts outside business hours, failures from multiple source IPs against the same account, or systematic attempts against common usernames like 'admin' or 'administrator'. Check the Logon Type field - Type 3 (network) failures from external IPs are more suspicious than Type 2 (interactive) failures from internal workstations.
What are the most important Sub Status codes in Event ID 4625 and what do they mean?+
The critical Sub Status codes are: 0xC000006A (incorrect password) - most common, indicates wrong password entry; 0xC0000064 (user does not exist) - often indicates reconnaissance or username enumeration attacks; 0xC0000072 (account disabled) - attempts against disabled accounts, possibly indicating insider knowledge; 0xC0000234 (account locked out) - shows the account lockout policy triggered; 0xC0000193 (account expired) - attempts with expired credentials; 0xC000006F (logon outside allowed hours) - violations of time restrictions; 0xC0000071 (password expired) - legitimate users with expired passwords. Focus monitoring on 0xC0000064 events as they often indicate malicious reconnaissance.
How do I configure Windows to generate Event ID 4625 and what audit policies are required?+
Event ID 4625 requires the 'Audit Logon' policy to be enabled for failures. Use 'auditpol /set /subcategory:"Logon" /failure:enable' to enable it via command line. For domain environments, configure this through Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff → Audit Logon (set to Failure or Success and Failure). Also enable 'Audit Account Lockout' to capture lockout events. Verify the policy with 'auditpol /get /subcategory:"Logon"'. Note that enabling success auditing will generate many 4624 events, so consider the log volume impact.
What PowerShell commands are most effective for analyzing Event ID 4625 patterns and detecting attacks?+
Use 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)}' to retrieve recent failures. For attack detection, group by source IP: '$Events | ForEach-Object {$XML = [xml]$_.ToXml(); $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'} | Group-Object | Sort-Object Count -Descending'. To identify targeted accounts: '$Events | ForEach-Object {$XML = [xml]$_.ToXml(); $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'} | Group-Object | Sort-Object Count -Descending'. For real-time monitoring, combine with 'Register-WmiEvent' or use 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 1 | Select-Object -Last 1' in a loop.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive documentation covering Windows security audit events including Event ID 4625 configuration and analysis.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial guide for configuring advanced audit policies to generate security events like 4625 in enterprise environments.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4625#security-auditing#failed-logon

Related Windows Events

Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min
Windows Event Viewer displaying security audit logs with Event ID 4634 logoff events on a SOC monitoring dashboard
Event 4634
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off

Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.

March 1812 min
Windows Event Viewer Security log displaying Event ID 4723 password change audit entries on a cybersecurity monitoring dashboard
Event 4723
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4723 – Microsoft-Windows-Security-Auditing: User Account Password Change Attempt

Event ID 4723 logs when a user attempts to change another user's password. This security audit event tracks administrative password reset operations and helps monitor unauthorized password modifications across Windows domains.

March 1712 min
Windows Event Viewer displaying security audit logs with successful logon events on a cybersecurity monitoring dashboard
Event 4624
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4624 – Microsoft-Windows-Security-Auditing: An Account Was Successfully Logged On

Event ID 4624 records successful user authentication attempts in Windows. This security audit event fires whenever a user, service, or computer account successfully logs on to the system, providing detailed logon session information.

March 1712 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...