tools to identify event viewer error 4625

Question

tools to identify event viewer error 4625

Jamshid Javidi 106

Hello Support,

i have joined new HP workstations to the Windows server 2016 essential, on prem, physical server, a ___domain controller. I am getting error 4625 on the server. But I am not getting any other information about the IP or users, or the password, etc. I know when i turn off the HP workstations that I recently joined the login failure stops. I do not have any services other than normal service on the workstation that I can suspect. How can i use a tool form Microsoft or third party software that can pinpoint the cause of the problem? I appreciate all your help.

An account failed to log on.

Subject:

Security ID:		SYSTEM

Account Name:		SCHBRSVR16$

Account Domain:		SBTAX22

Logon ID:		0x3E7

Logon Type: 3

Account For Which Logon Failed:

Security ID:		NULL SID

Account Name:		

Account Domain:

Failure Information:

Failure Reason:		Unknown user name or bad password.

Status:			0xC000006D

Sub Status:		0xC0000064

Process Information:

Caller Process ID:	0x38c

Caller Process Name:	C:\Windows\System32\lsass.exe

Network Information:

Workstation Name:	SCHBRSVR16

Source Network Address:	-

Source Port:		-

Detailed Authentication Information:

Logon Process:		Schannel

Authentication Package:	Kerberos

Transited Services:	-

Package Name (NTLM only):	-

Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

2 answers

Your answer

Answer 1

Hello Jamshid,

This issue typically means a service or process is trying to authenticate with invalid credentials but isn’t providing enough identity information.

Recommended Tools and Methods：

Process Monitor (ProcMon) Monitors system processes, registry, and file access in real time. Use it to trace which process is attempting the logon. Download: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon Tip: Run it on the HP workstation and filter for lsass.exe or svchost.exe.
Network Monitor or Microsoft Message Analyzer Captures network traffic to analyze authentication attempts. Useful for identifying services trying to connect with bad credentials. Guide: https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/collect-data-using-network-monitor

Additional Troubleshooting Tips：

On the HP workstation, run:

whoami /all
klist

Check for cached credentials or Kerberos ticket issues.
Look for scheduled tasks, services, or third-party software (e.g., print services or drivers) that might be using outdated ___domain credentials.

Best Regards

Answer 2

Jamshid Javidi 106

Hi Benjamin,

thank you for assisting me. I ran the procmon on the work station but I am not able to identify the issue. here is the snapshot.

User's image

I looked at the scheduler and this is what I see.

User's image

I am not sure what is the culprit.

an additional information, the I joined the workstation to the Windows server 2016 essential using http:\server\connect command.

I appreciate your help.

Jamshid

Share via

tools to identify event viewer error 4625

2 answers

Your answer