ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying Event ID 4625 authentication failure logs on a security monitoring dashboard
Event ID 4625InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting unauthorized access attempts, brute force attacks, and troubleshooting authentication issues across domain and local accounts.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4625Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4625 represents one of the most critical security audit events in Windows environments. Generated by the Microsoft-Windows-Security-Auditing provider, this event creates a permanent record every time an authentication attempt fails, regardless of whether the failure stems from malicious activity or legitimate user errors.

The event structure includes comprehensive details: the target account name, source workstation or IP address, logon type (interactive, network, service, etc.), authentication package used, and most importantly, the specific failure reason encoded as a status and sub-status code. These codes differentiate between scenarios like wrong passwords, disabled accounts, expired credentials, or policy violations.

Windows generates 4625 events across multiple authentication scenarios. Local logons to workstations, domain authentication through Active Directory, service account authentication, and remote access attempts all trigger this event when they fail. The logon type field specifically identifies which authentication method was attempted, enabling targeted analysis.

From a security perspective, patterns of 4625 events often reveal attack attempts. Multiple failures from the same source IP, systematic attempts against different usernames, or failures outside normal business hours frequently indicate malicious activity. Conversely, isolated 4625 events help administrators troubleshoot legitimate user access problems by providing precise failure reasons.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Incorrect username or password entered during logon attempts
  • Account disabled, locked out, or expired in Active Directory or local SAM database
  • Password expired and user attempting logon without changing credentials
  • Logon time restrictions preventing access outside allowed hours
  • Workstation restrictions blocking logon from unauthorized computers
  • Insufficient user rights for the requested logon type (service, batch, interactive)
  • Authentication package failures or Kerberos ticket issues in domain environments
  • Network connectivity problems preventing domain controller communication
  • Brute force attacks or password spraying attempts against user accounts
  • Service account credential changes not updated in dependent services
  • Smart card authentication failures due to certificate or reader issues
  • Two-factor authentication failures in environments with MFA requirements
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific 4625 event details to understand the failure reason and context.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4625 or search for recent failures
  3. Double-click the event to view detailed properties
  4. Note the Account Name, Workstation Name, and Source Network Address
  5. Check the Logon Type field to understand the authentication method:
    • Type 2: Interactive (local console logon)
    • Type 3: Network (file shares, mapped drives)
    • Type 4: Batch (scheduled tasks)
    • Type 5: Service (Windows services)
    • Type 10: RemoteInteractive (RDP, Terminal Services)
  6. Examine the Failure Reason and Status/Sub Status codes:
    • 0xC000006A: Wrong password
    • 0xC0000072: Account disabled
    • 0xC000006F: Logon outside allowed time
    • 0xC0000070: Workstation restriction
    • 0xC0000193: Account expired
    • 0xC0000071: Password expired
Pro tip: The Sub Status code often provides more specific failure details than the main Status code. Always check both values for complete diagnosis.
02

Query Failed Logons with PowerShell

Use PowerShell to efficiently query and analyze multiple 4625 events for patterns or specific accounts.

  1. Open PowerShell as Administrator
  2. Query recent logon failures with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName
  3. Extract detailed information from specific events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 100
$Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Account = $Event.Event.EventData.Data[5].'#text'
        Workstation = $Event.Event.EventData.Data[13].'#text'
        SourceIP = $Event.Event.EventData.Data[19].'#text'
        LogonType = $Event.Event.EventData.Data[10].'#text'
        Status = $Event.Event.EventData.Data[7].'#text'
        SubStatus = $Event.Event.EventData.Data[9].'#text'
    }
} | Format-Table -AutoSize
  4. Filter for specific accounts or time ranges:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like "*username*"}
  5. Count failures by source IP to identify potential attacks:
    $FailureEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 1000
$FailureEvents | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $Event.Event.EventData.Data[19].'#text'
} | Group-Object | Sort-Object Count -Descending | Select-Object Name, Count
Warning: Large Security logs can make PowerShell queries slow. Use -MaxEvents parameter and time filters to limit results for better performance.
03

Check Account Status and Policies

Investigate the target account's current status and applicable policies that might cause authentication failures.

  1. For domain accounts, open Active Directory Users and Computers
  2. Locate the failing account and check its properties:
    • Account tab: Verify account is not disabled or locked out
    • Account tab: Check account expiration date
    • Account tab: Review logon hours restrictions
    • Account tab: Examine "Log On To" workstation restrictions
  3. For local accounts, use PowerShell to check status:
    Get-LocalUser -Name "username" | Select-Object Name, Enabled, AccountExpires, PasswordExpired, LastLogon
  4. Check account lockout status in domain environments:
    Search-ADAccount -LockedOut | Select-Object Name, LockedOut, LastLogonDate
  5. Review password policy settings affecting the account:
    Get-ADDefaultDomainPasswordPolicy
  6. For service accounts, verify the service configuration:
    Get-Service | Where-Object {$_.StartType -eq "Automatic"} | ForEach-Object {
    $Service = Get-WmiObject -Class Win32_Service -Filter "Name='$($_.Name)'"
    if ($Service.StartName -like "*username*") {
        [PSCustomObject]@{
            ServiceName = $Service.Name
            StartName = $Service.StartName
            State = $Service.State
        }
    }
}
Pro tip: Account lockouts often cascade across multiple systems. Check domain controller logs and use lockoutstatus.exe from Microsoft to identify the lockout source.
04

Analyze Network Authentication Issues

Investigate network-related authentication failures, particularly for domain environments and remote access scenarios.

  1. Check domain controller connectivity from the failing workstation:
    Test-ComputerSecureChannel -Verbose
  2. Verify DNS resolution for domain controllers:
    nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.com
  3. Test Kerberos authentication specifically:
    klist purge
klist tgt
  4. For RDP failures (Logon Type 10), check Terminal Services configuration:
    • Open Group Policy Management
    • Navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop Services
    • Review "Limit number of connections" and "Set time limit for disconnected sessions"
  5. Examine network authentication events on domain controllers:
    Get-WinEvent -ComputerName "DC01" -FilterHashtable @{LogName='Security'; Id=4625,4771,4776} -MaxEvents 100 | Where-Object {$_.Message -like "*username*"}
  6. Check for time synchronization issues that affect Kerberos:
    w32tm /query /status
  7. Review firewall logs for blocked authentication traffic:
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'; Id=5152,5157} -MaxEvents 50
Warning: Kerberos authentication requires time synchronization within 5 minutes between client and domain controller. Time skew commonly causes authentication failures.
05

Implement Advanced Monitoring and Correlation

Set up comprehensive monitoring to detect attack patterns and automate response to suspicious authentication failures.

  1. Create custom Event Viewer filters for security monitoring:
    • Open Event ViewerCustom ViewsCreate Custom View
    • Select By logSecurity
    • Include Event IDs: 4625, 4624, 4648, 4771, 4776
    • Save as "Authentication Monitoring"
  2. Configure advanced PowerShell monitoring script:
    $ScriptBlock = {
    $Threshold = 5  # Failed attempts threshold
    $TimeWindow = 300  # 5 minutes in seconds
    
    $FailedLogons = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4625
        StartTime=(Get-Date).AddSeconds(-$TimeWindow)
    } | ForEach-Object {
        $Event = [xml]$_.ToXml()
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            SourceIP = $Event.Event.EventData.Data[19].'#text'
            Account = $Event.Event.EventData.Data[5].'#text'
        }
    }
    
    $SuspiciousIPs = $FailedLogons | Group-Object SourceIP | Where-Object {$_.Count -ge $Threshold}
    
    if ($SuspiciousIPs) {
        $SuspiciousIPs | ForEach-Object {
            Write-EventLog -LogName "Application" -Source "Security Monitor" -EventId 1001 -EntryType Warning -Message "Potential brute force attack detected from IP: $($_.Name) with $($_.Count) failed attempts"
        }
    }
}

# Register as scheduled task
Register-ScheduledTask -TaskName "AuthFailureMonitor" -Trigger (New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -Once -At (Get-Date)) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-WindowStyle Hidden -Command $ScriptBlock")
  3. Set up Windows Event Forwarding for centralized logging:
    • Configure source computers: winrm quickconfig
    • On collector server, run: wecutil qc
    • Create subscription: wecutil cs subscription.xml
  4. Implement automated account lockout response:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-ADUser -Filter {LockedOut -eq $true} | Unlock-ADAccount"
$Trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "AutoUnlock" -Action $Action -Trigger $Trigger
  5. Configure SIEM integration using Windows Event Forwarding or Syslog:
    # Example: Forward to Syslog server
$SyslogServer = "192.168.1.100"
$Port = 514

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 1 | ForEach-Object {
    $Message = "$($_.TimeCreated) $($env:COMPUTERNAME) Security: $($_.Message)"
    $Bytes = [System.Text.Encoding]::UTF8.GetBytes($Message)
    $UdpClient = New-Object System.Net.Sockets.UdpClient
    $UdpClient.Send($Bytes, $Bytes.Length, $SyslogServer, $Port)
    $UdpClient.Close()
}
Pro tip: Combine 4625 events with successful logon events (4624) to identify successful attacks after multiple failures. This pattern often indicates credential stuffing or successful brute force attempts.

Overview

Event ID 4625 fires whenever a logon attempt fails on a Windows system. This security audit event captures detailed information about unsuccessful authentication attempts, including the account name, workstation, logon type, and failure reason. The event appears in the Security log and requires audit policy configuration to generate.

This event serves dual purposes: security monitoring to detect potential attacks and troubleshooting legitimate authentication problems. Each 4625 event contains specific failure codes that pinpoint why authentication failed, from incorrect passwords to disabled accounts or expired credentials.

The event triggers for various logon types including interactive desktop logons, network authentication, service account logons, and remote desktop connections. Security teams rely heavily on 4625 patterns to identify brute force attacks, while IT administrators use individual events to diagnose user access issues.

Modern Windows systems generate thousands of these events daily in enterprise environments. Proper filtering and analysis tools become essential for extracting actionable intelligence from the volume of authentication data captured in Security logs.

Frequently Asked Questions

What does Event ID 4625 mean and why is it important?+
Event ID 4625 indicates a failed logon attempt on a Windows system. It's generated by the Microsoft-Windows-Security-Auditing provider whenever authentication fails, regardless of the reason. This event is crucial for security monitoring because it helps detect unauthorized access attempts, brute force attacks, and credential stuffing. It also assists IT administrators in troubleshooting legitimate user access problems by providing specific failure codes that identify why authentication failed, such as wrong passwords, disabled accounts, or policy violations.
How can I distinguish between malicious attacks and legitimate user errors in 4625 events?+
Several patterns help differentiate attacks from user errors. Malicious activity typically shows multiple rapid failures from the same source IP, systematic attempts against different usernames, failures occurring outside business hours, or geographically impossible login attempts. Legitimate errors usually involve single users with occasional failures, attempts during normal work hours, and failures from known workstations. Use PowerShell to analyze patterns: group events by source IP and count occurrences, check timing patterns, and correlate with successful logons (Event ID 4624) to identify if attacks eventually succeeded.
What do the different Status and Sub Status codes in Event ID 4625 mean?+
Status and Sub Status codes provide specific failure reasons. Common codes include: 0xC000006A (wrong password), 0xC0000072 (account disabled), 0xC000006F (logon outside allowed time), 0xC0000070 (workstation restriction), 0xC0000193 (account expired), 0xC0000071 (password expired), 0xC000006D (bad username or authentication information), and 0xC000006E (account restriction). The Sub Status code often provides more granular details than the main Status code. These codes help administrators quickly identify whether the issue requires password reset, account enablement, policy adjustment, or security investigation.
How do I set up monitoring for Event ID 4625 to detect potential security threats?+
Implement multi-layered monitoring using Event Viewer custom views, PowerShell scripts, and automated alerting. Create custom views filtering for authentication events (4625, 4624, 4648, 4771, 4776). Use PowerShell to analyze patterns, counting failures by source IP and timeframe to identify thresholds indicating attacks. Set up scheduled tasks to run monitoring scripts every 5-10 minutes, automatically generating alerts when suspicious patterns emerge. Configure Windows Event Forwarding to centralize logs from multiple systems. For enterprise environments, integrate with SIEM solutions using syslog forwarding or Windows Event Forwarding to correlate events across the infrastructure and enable automated response workflows.
Why am I seeing Event ID 4625 for service accounts and how do I resolve it?+
Service account 4625 events typically occur when service credentials become outdated after password changes, when services attempt to start with incorrect credentials, or when account policies restrict service logon rights. First, identify which services use the failing account by checking service configurations with Get-Service and Get-WmiObject. Verify the account has 'Log on as a service' rights in Local Security Policy or Group Policy. Check if the password was recently changed and update service configurations accordingly. For domain service accounts, consider using Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) which automatically handle password rotation. Monitor Event ID 7038 and 7000 in the System log for related service startup failures that often accompany authentication issues.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4625 configuration and analysishttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Logon Types ReferenceOfficial documentation explaining different Windows logon types that appear in authentication eventshttps://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4625#windows-security#authentication-failures

Related Windows Events

Windows domain controller monitoring dashboard showing Active Directory authentication events and security logs
Event 4776
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4776 – Microsoft-Windows-Security-Auditing: Computer Account Authentication

Event ID 4776 logs computer account authentication attempts in Active Directory environments, tracking domain controller validation of computer credentials during logon processes.

March 189 min
Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed
Event 4771
Microsoft-Windows-Security-Auditing
Windows EventWarning

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.

March 1812 min
Windows Security Event Viewer displaying authentication events on a SOC monitoring dashboard
Event 4648
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4648 – Microsoft-Windows-Security-Auditing: Logon Attempted Using Explicit Credentials

Event ID 4648 fires when a user or process attempts authentication using explicit credentials different from their current logon session, commonly seen with RunAs, network authentication, or service account operations.

March 1812 min
Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...