E
esunaga
Guest
I was checking Event Viewer to keep track of some stuff and realized I've been having security audit failures every day since August 25th (there are no entries before this date). I remember doing a System Restore on the day before, which might explain why I don't have any older events in the security event log (not sure if they get erased by a System Restore?). I'm not sure if this problem started on the 25th or before that as I don't check Event Viewer very often, but I'm a bit confused since, from what I gathered after a bit of googling, this event seems related to a Windows Server issue that might happen when someone tries to log in/hack(?) into a server. My machine isn't running a server - it's my personal computer. Also, the account where this "failed log on attempt" happens is the default Windows 10 guest account that I don't even have activated on my machine. How is this possible? Here's the log, I'd really appreciate it if someone could explain it to me a little better:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 29-Aug-19 1:18:38 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SKELETOR
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \\(my ip)
Source Network Address: (my ip)
Source Port: 60163
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
My first concern was that this could be someone trying to hack into my computer, but I ran several malware/virus scans very recently and couldn't find any threat. My computer also seems to be working normally; I haven't run into any BSODs or anything particularly odd/suspicious. This Event always pops up in Event Viewer around 1 PM, and there are always only two logon attempts with roughly 5 seconds between them. The only other "different" thing I did on the 24th/25th was that I accidentally enabled Windows 10's update to version 1903, then used the System Restore I mentioned before to stop it. There are still some leftover files from the unfinished 1903 update on my computer, and I'm wondering if I should actually update to 1903 to try and see if this issue can be fixed. I'd really appreciate any advice/help on this issue since this is all very intimidating and scary to me.
Edit: Okay, now I'm a little creeped out. I'm not sure if this happened because I'm currently installing the Windows 1903 Update, but ALL of my audit failures logs have just disappeared. I thought I had some filters applied and this is why I couldn't see them, but that's clearly not the case. Even most of my 'Audit Success' events are missing - I can only see the most recent ones. Does Windows delete Security logs in Event Viewer when it gets updated? I'm not sure if this is normal behavior.
More...
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 29-Aug-19 1:18:38 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SKELETOR
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: guest
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \\(my ip)
Source Network Address: (my ip)
Source Port: 60163
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
My first concern was that this could be someone trying to hack into my computer, but I ran several malware/virus scans very recently and couldn't find any threat. My computer also seems to be working normally; I haven't run into any BSODs or anything particularly odd/suspicious. This Event always pops up in Event Viewer around 1 PM, and there are always only two logon attempts with roughly 5 seconds between them. The only other "different" thing I did on the 24th/25th was that I accidentally enabled Windows 10's update to version 1903, then used the System Restore I mentioned before to stop it. There are still some leftover files from the unfinished 1903 update on my computer, and I'm wondering if I should actually update to 1903 to try and see if this issue can be fixed. I'd really appreciate any advice/help on this issue since this is all very intimidating and scary to me.
Edit: Okay, now I'm a little creeped out. I'm not sure if this happened because I'm currently installing the Windows 1903 Update, but ALL of my audit failures logs have just disappeared. I thought I had some filters applied and this is why I couldn't see them, but that's clearly not the case. Even most of my 'Audit Success' events are missing - I can only see the most recent ones. Does Windows delete Security logs in Event Viewer when it gets updated? I'm not sure if this is normal behavior.
More...