Description
In this article, I am going to explain about the Local Computer Logon Failure Event 4625. This event will get logged whenever an user tries to login with bad or wrong credentials. Here we will discus about how to Enable Event 4625 through local security policy and Auditpol command in local computer and how to enable Event 4625 in Active Directory based domain environment via Group Policy Object. Here, we will also discus about how to Stop or Disable the event 4625 when you don’t want logon failure activity.
This is event controlled by Logon/Logoff (Audit logon events) category in Audit policy settings. Other important events controlled by this audit policy setting are 4624, 4648, 4634 and 4672
Refer this article Tracking User Logon Activity using Logon and Logoff Events to know about how to track user’s logon duration from logon 4624 and logoff 4634 events.
Summary
- Event ID 4625 Log Source
- How to Enable event 4625 via Local Security Policy
- Steps to Enable event 4625 through Group Policy
- How to Enable event 4625 using Auditpol
- How to Stop/Disable event 4625
Event ID 4625 Sample Source
Description: An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: MyPC$
Account Domain: TestDomain
Logon ID: 0x0
Logon Type:
Account For Which Logon Failed:
Security ID: S-1-5-21-822115511-2935354860-794628881-514
Account Name: Ltest
Account Domain: TestDomain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: MyPC
Source Network Address: 192.178.87.231
Source Port:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Enable event 4625 via Local Security Policy
Steps to enable event 4625 through Local Security Policy:
1. Run the command secpol.msc to open Local Security Policy.
2. In Local Security Policy console, go to the node Audit Policy (Security Settings -> Local Policies-> Audit Policy).
3. In right side pane, double-click the policy Audit logon events.
4. Now check the Failure audit and click Apply to configure logon failure event 4625.
Now, you have successfully configured audit setting to log event 4625 in local computer. if you working in Active Directory based domain environment and if you want to configure this settings in all the computers that exists in domain, you need to achieve this by applying audit setting through any of Group Policy Object.
How to enable event 4625 through Group Policy
Steps to enable event 4625 through GPO:
1. Open Group Policy Management Console by running the command gpmc.msc
2. Expand the domain node, then right-click on the Default Domain Policy, and click Edit option
3. Expand the Computer Configuration node, go to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).
4. Navigate to the right side pane, select the policy Audit logon events, and set the Failure audit value.
5. In Windows 7/Server 2008 R2 and later versions, you can also enable Event ID 4625 through Advanced Audit Policy Configuration. Expand Computer Configuration, and go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)
6. Expand this node, go to Logon/Logoff (Audit Polices-> Logon/Logoff ), then select the Setting
Audit Logon, and set its value as Failure
8. Run the command GPUpdate /force to apply this setting in all the Computers
How to enable event 4625 using Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable audit Event 4625 by using the following command
Auditpol /set /subcategory:"Logon" /failure:enable
How to stop/disable Event 4625
You can disable or stop the logon failure audit Event ID 4625 by using the following command
Auditpol /set /subcategory:"Logon" /failure:disable
You can also stop this event by removing the Failure audit setting from the GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Polices->Logon/Logoff->Audit Logon.
Note: You need to refresh/update GPO for every change by running the command GPUpdate/force.
Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
Thanks,
Morgan
Software Developer
Thank you (was looking how to enable this on a Win 8.1 system)