Windows Event ID 4625 – Failed logon

Introduction

Event ID 4625 (viewed in Windows Event Viewer) documents every failed attempt at logging on to a local computer. This event is generated on the computer from where the logon attempt was made. A related event, Event ID 4624 documents successful logons.

Event 4625 applies to the following operating systems: Windows Server 2008 R2 and Windows 7, Windows Server 2012 R2 and Windows 8.1, and Windows Server 2016 and Windows 10. Corresponding events in Windows Server 2003 and earlier included 529, 530, 531, 532, 533, 534, 535, 536, 537, and 539 for failed logons.

Event ID 4625 looks a little different across Windows Server 2008, 2012, and 2016. Highlighted in the screenshots below are the important fields across each of these versions. 

Event 4625 (Windows 2008)

Event 4625 (Windows 2012)

Event 4625 (Windows 2016)

Description of Event Fields

The important information that can be derived from Event 4625 includes:

• • Logon Type:This field reveals the kind of logon that was attempted. In other words, it points out how the user tried logging on. There are a total of nine different types of logons. The most common logon types are: logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) is a red flag. For a description of the different logon types, see Event ID 4624.
• • Account For Which Logon Failed: This section reveals the Account Name of the user who attempted the logon.
• • Failure Information: This section explains the reasons for the logon failure. The Failure Reason field includes a short explanation, while the Status and Sub Status fields list hexadecimal codes, the most common of which are explained below.

Other information that can be obtained from Event 4625:

• • The Subject section reveals the account on the local system that requested the logon (not the user).
• • The Process Information section reveals details surrounding the process that attempted the logon.
• • The Network Information section reveals where the user was when they attempted the logon. If the logon was initiated from your current computer, this information will either be blank or reflect that local computer's workstation name and source network address.
• • The Detailed Authentication section reveals information about the authentication package used while attempting the logon.

The need for a third-party tool

In a typical IT environment, the number of events with ID 4625 (failed logon) can run into the thousands each day. Failed logons are useful on their own, but greater insights into network activity can be drawn from clear connections between them and other pertinent events.

For example, while Event 4625 is generated when an account fails to log on and Event 4624 is generated for successful logons, neither of these events reveal if the same account has recently experienced both. You have to correlate Event 4625 with Event 4624 using their respective Logon IDs to figure that out. 

Thus, event analysis and correlation needs to be performed. Native tools and PowerShell scripts demand expertise and time when employed to this end, so a third-party tool is truly indispensable.

Applying machine learning, ADAudit Plus creates a baseline of normal activities specific to each user and only notifies security personnel when there is a deviation from this norm.

For example, a user who consistently accesses a critical server outside of business hours wouldn't trigger a false positive alert because that behavior is typical for that user. On the other hand, ADAudit Plus would instantly alert security teams when that same user accesses that server during a time they've never accessed it before, even though the access falls within business hours.