TL;DR
Key Takeaways
- Event ID 4625 is a Windows Security log event generated every time a user fails to log on to a Windows system. It captures the username, domain, source IP, logon type, and failure reason.
- A single failed logon is normal. Mistyped passwords happen. The concern starts when failures appear frequently, in patterns, or across multiple accounts.
- Repeated Event ID 4625 entries can signal serious threats — including brute force attacks, credential stuffing, insider threats, and early-stage ransomware activity.
- Logon type matters. Knowing whether a failure came from an interactive login, RDP session, or network share helps you quickly assess the severity and likely source of the attempt.
- Context is everything when investigating. Look at frequency, timing, targeted account types, and source IP addresses before escalating — or dismissing — an alert.
- Event ID 4740 (account lockout) often follows a spike in 4625 events. Seeing both together is a strong signal that an automated attack is in progress.
- Audit Logon Events must be enabled in Windows Group Policy for Event ID 4625 to be captured at all. If it's not enabled, failed logons go unrecorded.
- Strong password policies, MFA, account lockout thresholds, and SIEM monitoring are the most effective controls for reducing risk from failed logon events.
- Huntress Managed SIEM and Managed EDR continuously monitor for Event ID 4625 patterns, filter out the noise, and surface only the activity that requires action.
What Is Event ID 4625?
Event ID 4625 is a Windows Security log entry generated whenever a user fails to log on to a Windows system. It is recorded in Windows Event Viewer under the Security category and captures key details, including:
- Username attempting access
- Domain associated with the account
- Source IP address of the authentication attempt
- Logon type (network, interactive, remote, etc.)
- Failure reason (bad password, unknown username, account locked, etc.)
Why Does Event ID 4625 Occur?
On the surface, a failed logon attempt just means that someone tried (and failed) to access a system. We’ve all forgotten a password at some point, so an occasional failed attempt is completely normal. But when Event ID 4625 starts appearing frequently, it’s time to pay more attention.
Event ID 4625 is triggered by failed logon attempts, which can result from:
| Cause | Description |
|---|---|
| Mistyped password | A legitimate user entered incorrect credentials |
| Brute force attack | Automated, systematic password guessing by attackers |
| Credential stuffing | Use of stolen credentials from prior data breaches |
| Insider threats | Unauthorized employees attempting to access restricted systems |
| Misconfiguration | Software bugs or service accounts with outdated credentials |
| Expired accounts | Former employees' credentials being tested |
What Are the Event ID 4625 Logon Types?
Understanding the logon type field helps determine the nature of the failed attempt:
| Logon Type | Code | Description |
|---|---|---|
| Interactive | 2 | Direct keyboard login at the machine |
| Network | 3 | Access via network share or mapped drive |
| Batch | 4 | Scheduled task or batch job |
| Service | 5 | Windows service startup |
| Remote Interactive | 10 | RDP or Terminal Services login |
| Network Cleartext | 8 | Credentials sent in plaintext |
Is Event ID 4625 a Security Threat?
A single Event ID 4625 is typically not a threat. However, repeated or patterned occurrences are a strong indicator of malicious activity. Security teams should escalate investigation when they observe:
- High frequency of failures in a short time window (possible brute force)
- Multiple accounts targeted from a single IP address (possible credential stuffing)
- Failed attempts on privileged accounts (administrator, service accounts)
- Attempts during off-hours when legitimate users are inactive
- Geographically unusual source IPs outside normal operating regions
How to Investigate Event ID 4625
If you see an Event ID 4625 entry, don’t panic. But
ask these questions:
- How frequent are the failures? Isolated or part of a pattern?
- Which accounts are targeted? Standard users or high-privilege accounts?
- Where are attempts originating? Known internal IP or external/unknown address?
- When did the attempts occur? Business hours or odd times?
- What is the failure reason? Wrong password, disabled account, or unknown username?
These questions can help explain whether you’re dealing with a real threat or user error.
How to Reduce Risk from Event ID 4625
Good (cyber) hygiene goes a long way. You can reduce the risk associated with failed logon attempts by implementing the following best practices:
- Enable Multi-Factor Authentication (MFA): Prevents access even if credentials are compromised
- Enforce strong password policies: This one’s easy. To make brute-force attacks more difficult, require complex passwords and mandate multi-factor authentication (MFA).
- Limit login attempts: Set account lockout policies to temporarily disable accounts after a certain number of failed attempts.
- Log and monitor activity: Use a Security Information and Event Management (SIEM) solution to centralize your logs and automate alerting on suspicious patterns. This enhanced visibility helps you respond faster to potential threats.
- User education: Train your employees on password hygiene and the importance of reporting suspicious login attempts with Security Awareness Training (SAT).
How Does Event ID 4625 Differ from Related Event IDs?
| Event ID | Description |
|---|---|
| 4624 | Successful logon — confirms access was granted |
| 4625 | Failed logon — access was denied |
| 4648 | Logon attempt using explicit credentials |
| 4720 | New user account was created |
| 4740 | Account was locked out (often follows repeated 4625 events) |
Key insight: Event ID 4740 (account lockout) often follows a cluster of 4625 events and is a strong signal that an automated attack is underway.
FAQs about Event ID 4625
Occasional failures (1–5 per day per user) are typical. Dozens or hundreds of failures in a short period, especially across multiple accounts, are abnormal and warrant investigation.
Yes. Ransomware operators frequently use credential attacks as an initial access vector. A spike in 4625 events — particularly targeting RDP or administrative accounts — can precede a ransomware deployment.
Yes. To capture 4625 events, Audit Logon Events must be enabled in your Windows Group Policy under Security Settings > Advanced Audit Policy Configuration > Logon/Logoff.
- Identify the source IP and block it if external
- Check if targeted accounts should be locked or reset
- Alert your security team or managed security provider
- Review your account lockout policy thresholds
- Correlate with Event ID 4740 to confirm lockouts are triggering
Monitor Event ID 4625 With Huntress
Manually tracking every failed logon event is time-intensive and easy to miss. Huntress Managed SIEM and Managed EDR continuously monitor Windows Security logs — including Event ID 4625 — and surface only the threats that matter.
What Huntress delivers:
- 24/7 log monitoring and expert analysis
- Automated alerting on suspicious logon patterns
- Actionable remediation guidance — not just alerts
- Enterprise-grade protection scaled for small and mid-sized businesses
- No internal SOC team required
Protect What Matters
