Leonard Chvilicek

Analyst's Reference: Windows 4625

Blog Post created by Leonard Chvilicek Employee on Jun 3, 2017


We all are so familiar with the 4625 as a failed logon, but did you know that the 4625 has more details relating to why the login failed?  I kept these notes regarding this event to write reports for a customer.  These notes show the metakeys of interest and also break down the event status and sub status codes.


Parser Version Notes

Recently there were some parser modification to the windows event parsers that changed the metakeys that the status code and sub status code were kept.  This table below was compiled from what I have seen in the field.  


Parser NameUpdateStatus Code MetakeySub Status Code Metakey




102 and earlierdispositionresult.code




some versions between 102-106result.codefld (throw away)




106 (5/24/17) and laterresult.code


(currently not in default Concentrator index)


Metakeys of Interest

Metakey NameDescription
device.ipDevice IP - System that reported this event
reference.idWindows EventID
domainWindows domain name or local computername for local computer logon

User account that is failing to login.  This can also be a computer account, which ends with a "$".


Windows Logon Types:

2 - Interactive Console Logon

3 - Network Logon - Background logon, usually for network drives and other shared resources.

4 - Batch - Job scheduling systems or other applications.

5 - Service - Applications that run as a service with user credentials.

7 - Unlock - Console Unlock of password protected screen using local keyboard.

8 - Network Clear Text - Credentials are sent in the clear, IIS basic authentication mode for example.

9 - RunAs - When you right click and use "Run As" on an application.

10 - Remote - Using RDP session to remotely logon.


Logon Types 2,3,10 are the most common


Source IP of system that attempted to logon


Hostname of the system that attempted to logon


Computer that this event 4625 occurred on - someone failed to logon to this system.


Status Code - See the table above regarding this metakey


Status Code or Sub Status Code - See the table above regarding this metakey


Sub Status Code - See the table above regarding this metakey

NOTE:  The following metakeys are not in the default index and will need to be added to the custom table map and custom concentrator/broker indexes.





Status\Sub-Status Code Description



Status/Sub Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064User logon with misspelled or bad user account (Uknown User)
0xC000006AUser logon with misspelled or bad password
0XC000006DThis is either due to a bad username or authentication information
0XC000006EUnknown user name or bad password.
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (aka logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon, but the Netlogon service was not started.
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
0x0Status OK.

Sample Queries

The sample queries below cover both sets of metakeys generated by the older and newer updated parsers.


User Does Not Exist - Status Code 0xc000006D Sub Status Code 0xC0000064

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006d' && context = '0xC0000064') || (disposition = '0xc000006d' && result.code = '0xC0000064')) && (not(user.dst ends '$'))


User Bad Password-Status Code 0xc000006D Sub Status Code 0xC000006A

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006d' && context = '0xC000006A') || (disposition = '0xc000006d' && result.code = '0xC000006A')) && (not(user.dst ends '$'))


Disabled User Accounts - Status Code 0xc000006E Sub Status Code 0xc0000072

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000072') || (disposition = '0xc000006e' && result.code = '0xC0000072')) && (not(user.dst ends '$'))


Logon with Expired Password - Status Code 0xc000006E Sub Status Code 0xc0000071

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000071') || (disposition = '0xc000006e' && result.code = '0xC0000071')) && (not(user.dst ends '$'))


User Must Change Password at Next Logon

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((disposition = '0xc0000224' && result.code = '0x0') || ((not(disposition exists)) && result.code = '0xc0000224' && context = '0x0')) && (not(user.dst ends '$'))


User Was Not Granted Rights to Logon - Status Code 0xc000015B Sub Status Code 0x0

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000015b' && context = '0x0') || (disposition = '0xc000015b' && result.code = '0x0')) && (not(user.dst ends '$'))



Windows4625CustomColumns-EventView.jsn.zip - Custom column view for the "Events" view in Investigation.

Investigation-->Events, it's the drop down right next to "Profile".  Choose "Manage Column Groups" and import the .jsn file.


Report-User Failed Logon Attempts (4625) FINAL.zip - Windows 4625 Report based on the sample rules in this post. Just import into the Report Engine.