How to Troubleshoot Audit Failure Event 4625

If you get hundreds of these 4625 events, it is probably because your server has remote desktop enabled and your server is facing the internet.  For example, your server may be on the AWS or Azure with RDP port 3389 allowed for any public source IPs. 


Cloud Network Firewall Fix:

Assuming you keep remote desktop service running, then you should configure AWS / Azure Security Group’s inbound rules to allow only your IP to connect to port 3389.  All these events should stop occurring.   In summary, you are blocking all IP addresses except yours.

Windows Server Firewall Fix:

As usual, please backup your servers.  If you block your own IP from accessing server’s remote desktop port using Windows Server firewall, you need to do a restore.

What if you cannot just do block all and except? or maybe you want to find out the specific IP that is causing that event?

If you examine the event, you will see that there is no network info: workstation name, source network address, source port.  I will show to how to find out the source network address.

In fact, there is little useful info.  We know Logon Type: 3 means a “network logon”.

We know Account Name: “ADMIN1” does not exist on our server and so it is a guessed account name.  The Sub Status: 0xc0000064 confirms that.

If you see Account Name: “Administrator” and the Sub Status: 0xc000006a means the hacker guess the wrong password.

You need to write a key info and that is the event date time (in Event Xml), down to the sub seconds level.

You download and run Process Monitor (not Process Explorer).  You run it and let it start capturing data.  When you see a new event 4625, you can stop the capture and start looking through the big log.  You locate the log entries closest to the event date time.  You may see errors such as LOGON FAILURE or NAME NOT FOUND.  Go backward in time, you may come across some logs regarding remote desktop connection.  Note “ms-wbt-server” is port 3389, used by RDP.


It tells you the source IP of the machine trying to connect and logon.  That is the source IP you can add to Windows Firewall and block.

Again, DO NOT BLOCK your own IP.  Otherwise, you cannot remote desktop to the server any more.

An account failed to log on.

    Security ID:        NULL SID
    Account Name:        –
    Account Domain:        –
    Logon ID:        0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        ADMIN1
    Account Domain:       

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xc000006d
    Sub Status:        0xc0000064

Process Information:
    Caller Process ID:    0x0
    Caller Process Name:    –

Network Information:
    Workstation Name:   
    Source Network Address:    –
    Source Port:        –

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    –
    Package Name (NTLM only):    –
    Key Length:        0





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s