Answer the question
In order to leave comments, you need to log in
How do I specify the account when auditing a failure?
Set up login auditing. For verification, it will decide to enter the password incorrectly a couple of times, then in the event log, in the login failure audit, I noticed that the field with the account name is not specified. How can I fix this to show which user was trying to log in?
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2020 4:56:48 PM
Event ID: 4625
Task Category: Logon
Level: Details
Keywords: Failure Auditing
User: N/
A Computer: DESKTOP-BITQR9N
Description :
The account failed to log in.
Subject: SID
: SYSTEM
Account name: DESKTOP-BITQR9N$
Account Domain: WORKGROUP
Login ID: 0x3E7 Login
Type: 2
Failed Login Account
: SID: NULL SID
Account Name: -
Account Domain: -
Error Details
: Error Reason: Login failed.
State: 0xC000006D
Substate: 0xC0000380 Process Detail
:
Caller Process ID: 0x6c0 Caller Process
Name: C:\Windows\System32\svchost.exe
Network Detail: Workstation Name
: -
Source Network Address: 127.0.0.1
Source Port: 0
Authentication Details:
Login Process: User32
Authentication Package: Negotiate
Intermediate Services: -
Package Name (NTLM only): -
Key Length: 0
This event occurs when a login attempt fails. It is registered on the computer that was attempted to be accessed.
The Subject fields indicate the local system account that requested the logon. This is usually a service, such as the Server service, or a local process, such as Winlogon.exe or Services.exe.
The Login Type field indicates the type of login that was made. The most common are types 2 (interactive) and 3 (network).
The Process Detail fields indicate which account and process on the system made the login request.
The Network Information fields indicate the source of the remote login request. The workstation name is not always available, and in some cases this field may be left blank.
The authentication information fields contain details about a specific login request.
- The "Intermediate Services" field indicates which intermediate services participated in this login request.
- The "Package Name" field indicates the subprotocol used with the NTLM protocols.
- The "Key Length" field contains the length of the generated session key. This field can be "0" if no session key was requested.
event xml:
Security
DESKTOP-BITQR9N
S-1-5-18
DESKTOP-BITQR9N$
WORKGROUP
0x3e7
S-1-0-0
-
-
0xc000006d
%%2304
0xc0000380
2
User32
Negotiate
-
-
-
0
0x6c0
C:\Windows\System32\svchost.exe
127.0 .0.1
0
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question