veltec
asked on
Audit failure Event ID 4625, logon type 3, guest account
We have a Windows 2012 r2, Hyper-V with 2 VMs. We have been getting a lot of Audit Failure Event ID 4625 on all these 3 machines for the past couple weeks. Then about a week ago, it stopped on VMs and only the Hyper-V host is still continuing getting the error.
Looks like something is using the guest account to sign on, which is disabled.
From the source network address, we can tell that it's the Hyper-V virtual switch.
Also, the IP port keeps changing.
We still don't know why it started and how it stopped only on those 2 VMs.
Detail of the event is below.
Any help is appreciated.
Thank you.
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 5/25/2017 11:26:29 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: {SERVER-NAME}
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \\172.16.182.108
Source Network Address: 172.16.182.108
Source Port: 51745
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service
such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3
(network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always
available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was
requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000 00</Keywor ds>
<TimeCreated SystemTime="2017-05-25T18: 26:29.0129 02700Z" />
<EventRecordID>58591</Even tRecordID>
<Correlation />
<Execution ProcessID="796" ThreadID="6760" />
<Channel>Security</Channel >
<Computer>SERVER-NAME</Com puter>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1- 0-0</Data>
<Data Name="SubjectUserName">-</ Data>
<Data Name="SubjectDomainName">- </Data>
<Data Name="SubjectLogonId">0x0< /Data>
<Data Name="TargetUserSid">S-1-0 -0</Data>
<Data Name="TargetUserName">gues t</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006e</ Data>
<Data Name="FailureReason">%%231 0</Data>
<Data Name="SubStatus">0xc000007 2</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Nt LmSsp </Data>
<Data Name="AuthenticationPackag eName">NTL M</Data>
<Data Name="WorkstationName">\\1 72.16.182. 108</Data>
<Data Name="TransmittedServices" >-</Data>
<Data Name="LmPackageName">-</Da ta>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data >
<Data Name="ProcessName">-</Data >
<Data Name="IpAddress">172.16.18 2.108</Dat a>
<Data Name="IpPort">51745</Data>
</EventData>
</Event>
Looks like something is using the guest account to sign on, which is disabled.
From the source network address, we can tell that it's the Hyper-V virtual switch.
Also, the IP port keeps changing.
We still don't know why it started and how it stopped only on those 2 VMs.
Detail of the event is below.
Any help is appreciated.
Thank you.
Log Name: Security
Source: Microsoft-Windows-Security
Date: 5/25/2017 11:26:29 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: {SERVER-NAME}
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \\172.16.182.108
Source Network Address: 172.16.182.108
Source Port: 51745
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service
such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3
(network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always
available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was
requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2017-05-25T18:
<EventRecordID>58591</Even
<Correlation />
<Execution ProcessID="796" ThreadID="6760" />
<Channel>Security</Channel
<Computer>SERVER-NAME</Com
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName">-</
<Data Name="SubjectDomainName">-
<Data Name="SubjectLogonId">0x0<
<Data Name="TargetUserSid">S-1-0
<Data Name="TargetUserName">gues
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006e</
<Data Name="FailureReason">%%231
<Data Name="SubStatus">0xc000007
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Nt
<Data Name="AuthenticationPackag
<Data Name="WorkstationName">\\1
<Data Name="TransmittedServices"
<Data Name="LmPackageName">-</Da
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data
<Data Name="ProcessName">-</Data
<Data Name="IpAddress">172.16.18
<Data Name="IpPort">51745</Data>
</EventData>
</Event>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, Ajit.
I tried to disable the IIS as suggested from the other link but that didn't help.
From the last link, the issue was the network shared with the explorer.exe process.
But for our case, we couldn't identify the process.
"Caller Process Name: -"
Again, really appreciate your help.
I tried to disable the IIS as suggested from the other link but that didn't help.
From the last link, the issue was the network shared with the explorer.exe process.
But for our case, we couldn't identify the process.
"Caller Process Name: -"
Again, really appreciate your help.
Answered.
ASKER
" From a command prompt run: psexec -i -s -d cmd.exe
From the new cmd window run: rundll32 keymgr.dll,KRShowKeyMgr "
I tried that but there was nothing on the list.
The sign on attempts is using the guest account which is disabled.
This Hyper-V server has 2 network cards.
One of the port is set with a static IP.
The other one is set as the Hyper-V virtual switch with the dynamic IP. So this virtual switch can be used by the VMs.
The sign on attempts is coming from the virtual switch IP not the IP of the 2 VMs.
The same attempts were made to the 2 VMs from the virtual switch also.
They lasted about a week and then stopped while the Hyper-V host is still continuing.
Is there anything else we could do?
Thank you for your help.