Windows Event ID 4625: An account failed to log on
Windows Security Event ID 4625 records an unsuccessful logon attempt and is a core source for investigating brute-force activity, password spraying, and account lockout reports.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is generated when Windows authentication fails for an interactive, network, remote desktop, service, or other logon attempt. The Logon Type field identifies the authentication context.
Key Fields
Account For Which Logon Failed
The account name supplied to the authentication attempt. When the account does not exist, this may be attacker-controlled input rather than a valid directory account.
Failure Reason / Status / Sub Status
These fields explain why authentication failed. Common sub-status values include 0xC000006A for a bad password, 0xC0000064 for an unknown user, 0xC0000234 for a locked account, and 0xC0000072 for a disabled account.
Logon Type
The logon method. Type 2 is console, Type 3 is network access such as SMB, and Type 10 is RemoteInteractive (RDP). Type 10 deserves focused review during remote-access investigations.
Source Network Address / Source Port
The client address and port observed by the target host. These fields are essential for grouping attempts, identifying attack infrastructure, and distinguishing local from remote failures.
Common False Positives
- Users can generate a small number of failures while entering an old or mistyped password.
- A service account with an outdated stored credential can create periodic, highly regular failures after a password rotation.
- Mapped drives, scheduled tasks, and applications may retry cached credentials automatically after a password change.
Related Events
MITRE ATT&CK Mapping
- T1110.001Brute Force: Password Guessing
- T1110.003Brute Force: Password Spraying
- T1078Valid Accounts
Detection Notes
T1110.001/T1110.003 detection should separate Sub Status 0xC000006A (valid account, bad password) from 0xC0000064 (unknown account). More than 10 failures in a 5-minute window from one Source Network Address against many accounts is a starting spray threshold, while Logon Type 10 isolates RDP and Type 3 isolates SMB. Correlate a following 4624 success.
SecurityEvent
| where EventID == 4625
| summarize FailedCount = count() by TargetAccount = Account, IpAddress, bin(TimeGenerated, 5m)
| where FailedCount > 10
| order by FailedCount descindex=wineventlog EventCode=4625
| bucket _time span=5m
| stats count as FailedCount by _time, Account_Name, Source_Network_Address
| where FailedCount > 10Account For Which Logon Failed: CORP\jsmith
Failure Reason: Unknown user name or bad password
Status: 0xC000006D
Sub Status: 0xC000006A
Logon Type: 3
Source Network Address: 10.x.x.x
Source Port: 51422