Home » PowerShell » Event Id 4625 0xc000006a – Account Failed to Log on

Event Id 4625 0xc000006a – Account Failed to Log on

The error code 0xC000006A does means Account logon with a misspelled or bad password but not necessarily locked out.

The error code 0xC000006D means the cause is either a bad username or authentication information.

These logs with Event Id 4625 log under LogName Security with Audit Failure.

In this article, we will discuss error codes 0xC000006A and 0xC000006D, logon failure reason and event id 4625, and the best possible way to find the source of 4625 Event Id in Windows Server.

Error Code: 0xc000006a

When the user tries to logon into the window server with the correct username but with a bad password, it display login attempt failed message and windows security log event 4625 with error code: 0xc000006a

Logon failure reason for error code 0xc000006a is ‘unknown user name or bad password’.

Error code: 0xc000006a
Error code: 0xc000006a

Event Id 4625 – Error Code 0xC000006D

Event Id 4625 contains failure information for error code status 0xC000006D and sub status is 0xC0000064

Failure reason for status 0xC000006D is Unknown user name or bad password.

4625 Event Id - Status 0xC000006D
4625 Event Id – Status 0xC000006D

Cool Tip: How to perform concatenation of string in PowerShell!

Event Id 4625 Description

It generates on the workstation where a logon attempt was made.

Failure reason may be an unknown user name or a bad password.

It generates on domain controllers, workstations, and window servers.

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		torrentbox
	Account Domain:		

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	B_21
	Source Network Address:	**.**.***.160
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event Id 4625 provides details about it like Subject Id, Logon type, Account for which Logon failed, Failure Information, Process Information, Network Information, and Detailed Authentication Information.

Cool Tip: Event Id 4634 – An Account was logged off!

Refer Windows Logon Status code table to find the logon failure reason for the Status codes.

Status\Sub-Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064User logon with a misspelled or bad user account
0xC000006AUser logon with misspelled or bad password
0XC000006DThe cause is either a bad username or authentication information
0XC000006EIndicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (also called the logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon, but the Netlogon service was not started.
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
0x0Status OK.
Windows Logon Status code

Cool Tip: Event Id 4776 Status Code 0xc0000234 – Fix to find the source of attempt!

Solution to find source of 4625 Event Id Status Code 0xC000006D or 0xC000006A

To know the source of the login attempt, we have to enable verbose netlogon logging on Domain Controller.

  • Open a Cmd (Command Prompt) with Administrator privileges.
  • Run below command
Nltest /DBFlag:2080FFFF
  • Netlogon service stops and restarts not required.
  • If you want to turn off the verbose netlogon logging after trace of 4625 event id, run below command
Nltest /DBFlag:0x0
  • Netlogon related events are available in file %windir%\debug\netlogon.log

You can run the Nltest command in PowerShell.

Open PowerShell with ‘Run as Administrator and run the below command

Nltest /DBFlag:2080FFFF
Restart-Service Netlogon

The output of the enabling verbose log on the workstation is:

Enable Verbose Log - 4626 Event Id
Enable Verbose Log – 4626 Event Id

To read the events of the above file, open the log file with run as administrator.

netlogon.log file contains the user logon attempt and its source location.

Cool Tip: Event Id 4771 – Kerberos pre-authentication failed!

This will help you to trace the workstation from where the login attempt was coming.

You can enable or disable netlogon logging using the registry method.

  • Open the registry editor
  • If Reg_SZ value for the below registry entry exists, delete it.
  • Create REG_DWORD with the same word and assign value 2080FFFF hexadecimal value. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

Review netogon.log file display source information like its machine name or IP address.

01/23 15:19:56 [MISC] [5788] SHELL_ENG: DsGetDcName function returns 0 (client PID=704): Dom:SHELL_ENG Acct:(null) Flags: DS NETBIOS RET_DNS 
01/23 15:20:12 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Entered
01/23 15:20:12 [LOGON] [4084] SHELL_ENG: NlPickDomainWithAccount: braceit: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
01/23 15:20:12 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Returns 0xC000006A
01/23 15:20:20 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Entered
01/23 15:20:20 [LOGON] [4084] SHELL_ENG: NlPickDomainWithAccount: braceit: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
01/23 15:20:20 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from COPR-EU-S17 Returns 0xC000006A
01/23 15:20:44 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Entered
01/23 15:20:44 [LOGON] [4084] SHELL_ENG: NlPickDomainWithAccount: braceit: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
01/23 15:20:44 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Returns 0x0
01/23 15:20:47 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Entered
01/23 15:20:47 [LOGON] [4084] SHELL_ENG: NlPickDomainWithAccount: braceit: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
01/23 15:20:47 [LOGON] [4084] SHELL_ENG: SamLogon: Network logon of braceit from CORP-EU-S21 Returns 0x0

In the above netlogon.log file, it displays the source from where the logon attempt occurred.

This event also logs error code: 0xC000006A, which means the user logon with a misspelled or bad password.

Cool Tip: How to manipulate Active Directory UserAccountControl flags in PowerShell!

If you open Event Id 4625 and look at the details section, it will display the source from where the logon attempt was made.

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		braceit
	Account Domain:		SHELLGEEK

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	CORP-EU-S21
	Source Network Address:	10.16.15.14
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

In the above log, it captured workstation name and source network IP address from where logon attempt was made.

In the failure information field, it logs this event with logon failure reason, and error status: 0xC000006D and sub status: 0xc000006a.

Cool Tip: Event Id 4670 – Permissions on an object were changed!

Conclusion

I hope the above article on error status code 0xc000006a or 0xc000006d logs under windows security event id 4625 is helpful to you.

Error code 0xc000006a means ‘Account logon with a misspelled or bad password but not necessarily locked out.’

Error status code 0xc000006d ‘means ‘The cause is either a bad username or authentication information

Using enabling the verbose logging for the netlogon service on the Domain controller will help you to find out the logon attempt location.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

You can read more on other windows security and system event logs as given:

Leave a Comment