ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Security analyst monitoring Windows Event ID 4625 logon failures on multiple security dashboards
Event ID 4625InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. This critical security event helps administrators track unauthorized access attempts, brute force attacks, and authentication issues across domain and local accounts.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4625Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4625 represents one of the most important security audit events in the Windows ecosystem. Generated by the Microsoft-Windows-Security-Auditing provider, this event creates a detailed record every time an authentication attempt fails on the system. The event contains comprehensive forensic data including the target account, source workstation, authentication package used, logon process, and most importantly, the specific failure reason code.

The event structure includes critical fields like Subject (the account requesting authentication), Account Information (target account details), Logon Information (logon type and authentication package), Network Information (source IP and port), and Detailed Authentication Information (failure codes and sub-status). This granular data enables security analysts to distinguish between legitimate user errors and malicious attack attempts.

In domain environments, 4625 events are generated on both domain controllers and member systems depending on where authentication occurs. Local account failures appear on the target machine, while domain authentication failures typically generate events on domain controllers. The event's failure reason and sub-status codes provide precise diagnostic information - from simple password errors to complex policy violations like time restrictions or workstation limitations.

Security Information and Event Management (SIEM) systems extensively monitor 4625 events to detect attack patterns like credential stuffing, password spraying, and brute force attempts. The event's rich metadata allows for sophisticated correlation rules that can identify distributed attacks across multiple systems and time windows.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Incorrect username or password entered during logon attempt
  • Account locked out due to too many failed attempts
  • User account disabled or expired in Active Directory
  • Password expired and user attempting logon with old credentials
  • Logon time restrictions preventing access outside allowed hours
  • Workstation restrictions blocking logon from unauthorized computers
  • Network logon failures due to trust relationship issues
  • Service account authentication failures with expired passwords
  • Brute force or dictionary attacks against user accounts
  • Credential stuffing attacks using compromised password lists
  • Kerberos authentication failures in domain environments
  • Smart card authentication issues or certificate problems
  • Two-factor authentication failures or token synchronization issues
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific failure details in Event Viewer to understand the authentication failure context.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4625 using Filter Current LogEvent IDs: 4625
  3. Double-click a recent 4625 event to view detailed information
  4. Focus on these critical fields:
    • Account Name: The account that failed authentication
    • Failure Reason: Specific error code (0xC000006A = wrong password, 0xC0000072 = account disabled)
    • Logon Type: Authentication method (2=Interactive, 3=Network, 10=RemoteInteractive)
    • Source Network Address: IP address of authentication attempt
    • Workstation Name: Computer name where attempt originated
  5. Cross-reference the Sub Status code with Microsoft documentation for precise failure reasons
  6. Note the timestamp pattern to identify potential attack sequences
Pro tip: Sub Status 0xC0000064 indicates the account doesn't exist, while 0xC000006A means wrong password - crucial for distinguishing user errors from reconnaissance attempts.
02

PowerShell Analysis and Pattern Detection

Use PowerShell to analyze 4625 events programmatically and identify suspicious patterns or frequent failures.

  1. Query recent logon failures with detailed information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 100 | 
Select-Object TimeCreated, @{Name='Account';Expression={$_.Properties[5].Value}}, 
@{Name='SourceIP';Expression={$_.Properties[19].Value}}, 
@{Name='FailureReason';Expression={$_.Properties[8].Value}} | 
Format-Table -AutoSize
  2. Identify accounts with multiple failures in the last 24 hours:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)}
$FailuresByAccount = $Events | Group-Object {$_.Properties[5].Value} | 
Sort-Object Count -Descending
$FailuresByAccount | Select-Object Name, Count | Format-Table
  3. Analyze source IP addresses for potential attack sources:
    $Events | Group-Object {$_.Properties[19].Value} | 
Where-Object {$_.Count -gt 10} | 
Sort-Object Count -Descending | 
Select-Object Name, Count
  4. Export detailed failure analysis to CSV for further investigation:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-4)} | 
ForEach-Object {
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Account = $_.Properties[5].Value
        Domain = $_.Properties[6].Value
        SourceIP = $_.Properties[19].Value
        Workstation = $_.Properties[13].Value
        LogonType = $_.Properties[10].Value
        FailureReason = $_.Properties[8].Value
        SubStatus = $_.Properties[9].Value
    }
} | Export-Csv -Path "C:\Temp\LogonFailures.csv" -NoTypeInformation
Warning: High volumes of 4625 events can impact PowerShell performance. Use time filters and -MaxEvents parameter to limit query scope.
03

Configure Advanced Audit Policies and Monitoring

Optimize audit policy settings and implement automated monitoring for proactive security incident detection.

  1. Verify current audit policy configuration:
    auditpol /get /category:"Logon/Logoff"
  2. Enable detailed logon auditing if not already configured:
    auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
  3. Configure Security log size to handle increased event volume:
    • Open Event ViewerWindows LogsSecurity
    • Right-click SecurityProperties
    • Set Maximum log size to at least 100MB for busy systems
    • Configure Archive the log when full for retention
  4. Create a scheduled task for automated failure monitoring:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorLogonFailures.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "06:00"
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "Monitor Logon Failures" -Action $Action -Trigger $Trigger -Principal $Principal
  5. Implement real-time monitoring with Windows Event Forwarding (WEF) for centralized collection
  6. Configure custom Event Viewer views for quick failure analysis:
    • Create Custom ViewsCreate Custom View
    • Filter by Event ID 4625 with specific failure reason codes
    • Save views for different failure types (brute force, account issues, etc.)
04

Investigate Account Lockout and Security Incidents

Perform comprehensive security incident investigation when 4625 events indicate potential attacks or account compromise.

  1. Correlate 4625 events with account lockout events (4740):
    $StartTime = (Get-Date).AddHours(-2)
$LockoutEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740; StartTime=$StartTime}
$FailureEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=$StartTime}

foreach ($Lockout in $LockoutEvents) {
    $Account = $Lockout.Properties[0].Value
    $RelatedFailures = $FailureEvents | Where-Object {$_.Properties[5].Value -eq $Account}
    Write-Host "Account $Account locked at $($Lockout.TimeCreated)"
    Write-Host "Related failures: $($RelatedFailures.Count)"
}
  2. Analyze authentication patterns for the affected account:
    $TargetAccount = "username"
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddDays(-7)} | 
Where-Object {($_.Id -eq 4624 -or $_.Id -eq 4625) -and $_.Properties[5].Value -eq $TargetAccount}

$Events | Select-Object Id, TimeCreated, @{Name='Result';Expression={if($_.Id -eq 4624){"Success"}else{"Failure"}}}, 
@{Name='SourceIP';Expression={$_.Properties[18].Value}} | 
Sort-Object TimeCreated | Format-Table
  3. Check for successful logons immediately after failures (potential compromise):
    $Failures = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-1)}
$Successes = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddHours(-1)}

foreach ($Failure in $Failures) {
    $Account = $Failure.Properties[5].Value
    $FailureTime = $Failure.TimeCreated
    $SubsequentSuccess = $Successes | Where-Object {
        $_.Properties[5].Value -eq $Account -and 
        $_.TimeCreated -gt $FailureTime -and 
        $_.TimeCreated -lt $FailureTime.AddMinutes(10)
    }
    if ($SubsequentSuccess) {
        Write-Warning "Potential compromise: $Account failed at $FailureTime, succeeded at $($SubsequentSuccess.TimeCreated)"
    }
}
  4. Generate comprehensive incident report:
    $Report = @()
$UniqueAccounts = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)} | 
    Group-Object {$_.Properties[5].Value}).Name

foreach ($Account in $UniqueAccounts) {
    $AccountFailures = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)} | 
        Where-Object {$_.Properties[5].Value -eq $Account}
    
    $Report += [PSCustomObject]@{
        Account = $Account
        FailureCount = $AccountFailures.Count
        FirstFailure = ($AccountFailures | Sort-Object TimeCreated)[0].TimeCreated
        LastFailure = ($AccountFailures | Sort-Object TimeCreated -Descending)[0].TimeCreated
        UniqueSourceIPs = ($AccountFailures | Group-Object {$_.Properties[19].Value}).Count
        MostCommonFailure = ($AccountFailures | Group-Object {$_.Properties[8].Value} | Sort-Object Count -Descending)[0].Name
    }
}

$Report | Sort-Object FailureCount -Descending | Format-Table
Warning: Always correlate 4625 events with successful logons (4624) and privilege escalation events (4672) for complete incident analysis.
05

Implement SIEM Integration and Automated Response

Deploy enterprise-grade monitoring and automated response capabilities for large-scale 4625 event management.

  1. Configure Windows Event Forwarding for centralized collection:
    # On collector server
wecutil qc /q
wecutil cs subscription.xml

# Create subscription.xml with 4625 event filtering
$SubscriptionXML = @"

    Security-Logon-Failures
    SourceInitiated
    Collect logon failure events
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Normal
    
            
                
            
        
    ]]>

"@
$SubscriptionXML | Out-File -FilePath "C:\Temp\subscription.xml"
  2. Create PowerShell-based alerting system:
    # Save as MonitorLogonFailures.ps1
param(
    [int]$ThresholdCount = 10,
    [int]$TimeWindowMinutes = 15
)

$StartTime = (Get-Date).AddMinutes(-$TimeWindowMinutes)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=$StartTime}

$AccountFailures = $Events | Group-Object {$_.Properties[5].Value} | 
    Where-Object {$_.Count -ge $ThresholdCount}

if ($AccountFailures) {
    $AlertMessage = "High logon failure count detected:`n"
    foreach ($Account in $AccountFailures) {
        $AlertMessage += "Account: $($Account.Name) - Failures: $($Account.Count)`n"
    }
    
    # Send email alert (configure SMTP settings)
    Send-MailMessage -To "security@company.com" -From "alerts@company.com" \
        -Subject "Security Alert: Multiple Logon Failures" -Body $AlertMessage \
        -SmtpServer "smtp.company.com"
    
    # Log to Application event log
    Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1001 \
        -EntryType Warning -Message $AlertMessage
}
  3. Implement automated account lockout response:
    # Automated response script
$SuspiciousIPs = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddMinutes(-10)} | 
    Group-Object {$_.Properties[19].Value} | 
    Where-Object {$_.Count -gt 20} | 
    Select-Object -ExpandProperty Name

foreach ($IP in $SuspiciousIPs) {
    if ($IP -ne "-" -and $IP -ne "127.0.0.1") {
        # Block IP using Windows Firewall
        New-NetFirewallRule -DisplayName "Block Suspicious IP $IP" \
            -Direction Inbound -RemoteAddress $IP -Action Block
        
        Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1002 \
            -EntryType Warning -Message "Automatically blocked suspicious IP: $IP"
    }
}
  4. Configure custom performance counters for monitoring:
    # Create custom performance counter for logon failures
$CounterPath = "\Security Events\Logon Failures per Minute"
typeperf $CounterPath -si 60 -o "C:\Logs\LogonFailures.csv"
  5. Integrate with Microsoft Sentinel or third-party SIEM:
    • Configure Azure Monitor Agent for log forwarding
    • Create KQL queries for advanced pattern detection
    • Set up automated playbooks for incident response
    • Implement machine learning-based anomaly detection
Pro tip: Use Event ID 4625 correlation with network traffic analysis and threat intelligence feeds for comprehensive attack detection and attribution.

Overview

Event ID 4625 fires whenever a logon attempt fails on a Windows system. This event is generated by the Windows Security Auditing subsystem and appears in the Security log when authentication fails for any reason - wrong password, disabled account, expired credentials, or policy violations.

This event is crucial for security monitoring as it reveals potential unauthorized access attempts, brute force attacks, and legitimate authentication issues. The event captures detailed information including the account name, workstation, logon type, failure reason, and source network address. Security teams rely heavily on 4625 events to detect suspicious activity patterns and investigate security incidents.

The event fires for both local and domain authentication failures across all logon types - interactive, network, service, batch, and remote desktop sessions. Each failure generates a separate 4625 event with specific failure codes that help administrators quickly identify the root cause. Modern Windows systems generate thousands of these events daily in enterprise environments, making proper filtering and analysis essential for effective security monitoring.

Frequently Asked Questions

What does Event ID 4625 mean and why is it important for security?+
Event ID 4625 indicates that an account failed to log on to a Windows system. This event is generated by the Microsoft-Windows-Security-Auditing provider whenever authentication fails for any reason - wrong password, disabled account, expired credentials, or policy violations. It's critically important for security because it helps detect unauthorized access attempts, brute force attacks, credential stuffing, and other malicious activities. Security teams use 4625 events as primary indicators of potential security incidents, and the event's detailed metadata enables precise forensic analysis and attack attribution.
How can I distinguish between legitimate user errors and malicious attacks in 4625 events?+
Several factors help differentiate legitimate errors from attacks: frequency patterns (attacks typically show rapid, repeated attempts), source IP addresses (attacks often originate from unusual or foreign IPs), failure reason codes (0xC0000064 for non-existent accounts suggests reconnaissance), timing patterns (attacks occur outside business hours), and account targeting (attacks often target administrative or service accounts). Legitimate user errors usually involve single accounts with sporadic failures during business hours, while attacks show systematic patterns across multiple accounts or high-frequency attempts from single sources. Cross-referencing with successful logons immediately after failures can also indicate potential compromise.
What are the most common failure reason codes in Event ID 4625 and what do they mean?+
The most common failure reason codes include: 0xC000006A (wrong password - most frequent legitimate error), 0xC0000064 (user name does not exist - often indicates reconnaissance), 0xC0000072 (account disabled), 0xC000006F (user tried to logon outside allowed time), 0xC0000070 (workstation restriction), 0xC0000193 (account expired), 0xC0000071 (password expired), and 0xC0000234 (account locked out). Understanding these codes is crucial for rapid incident triage - codes like 0xC0000064 with multiple different usernames suggest username enumeration attacks, while 0xC000006A with the same username repeatedly indicates password attacks or user errors.
How should I configure audit policies and log retention for effective 4625 monitoring?+
Enable 'Audit Logon' policy for both success and failure events using 'auditpol /set /subcategory:"Logon" /success:enable /failure:enable'. Set Security log size to at least 100MB (larger for busy systems) with 'Archive the log when full' retention policy. For enterprise environments, implement Windows Event Forwarding (WEF) to centralize collection and reduce local storage requirements. Configure log rotation to maintain 30-90 days of retention depending on compliance requirements. Consider enabling 'Audit Account Lockout' and 'Audit Other Logon/Logoff Events' for comprehensive authentication monitoring. Use Group Policy to deploy consistent audit settings across all domain systems.
What PowerShell commands are most effective for analyzing 4625 events and detecting attack patterns?+
Key PowerShell commands for 4625 analysis include: 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625}' for basic querying, grouping by account with '$Events | Group-Object {$_.Properties[5].Value}' to identify targeted accounts, analyzing source IPs with '$Events | Group-Object {$_.Properties[19].Value}' to detect attack sources, and time-based filtering using 'StartTime=(Get-Date).AddHours(-X)' for recent events. For pattern detection, use 'Where-Object {$_.Count -gt 10}' to identify high-frequency failures, and correlate with successful logons using multiple event IDs. Export results with 'Export-Csv' for further analysis in Excel or SIEM tools. Always include timestamp analysis to identify attack timeframes and frequency patterns.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive Microsoft documentation covering Windows security auditing events including Event ID 4625 and related authentication monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Security Log Events ReferenceOfficial Microsoft reference for Event ID 4625 with detailed field descriptions and failure reason codes.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4625#security-auditing#logon-failures

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...