During a 4625 windows event (failed logon) such as the below who has actually typed the incorrect credentials?
a) Was it the user on computer logged in as paulb incorrectly typing admin-user credentials?
Or b) is it the user logged in as admin-user incorrectly typing paulb's credentials?
WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
M-P-BO-SOA1: An account failed to log on.
Subject:
Security ID: S-1-4-11-123456789-123456789-123456789-1234
Account Name: admin-user
Account Domain: WINSERVER01
Logon ID: 0x6772f
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: paulb
Account Domain:
Failure Information:
Failure Reason: %%2313
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xfb8
Caller Process Name: C:\Windows\System32\dllhost.exe
Network Information:
Workstation Name: WINSERVER01 Source
Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
Best Answer
Account admin-user (subject) tried to logon as paulb interactively (logon type 2), which failed because the password is wrong (0xC000006d/0xC000006A)