How to Fix Windows Event 4625: An account failed to log on

What this error means

Windows recorded a failed authentication attempt. The Security event log captures details about who tried, from where, and why it failed.

Why this happens

Wrong password, locked account, expired credentials, account disabled, or a brute-force attempt.

Quick fix (for end users)

• Open Event Viewer → Windows Logs → Security and look for the 4625 event.
• Check the 'Account For Which Logon Failed' and 'Source Network Address' fields.

Admin / engineer fix

• Decode the failure reason from the Status / Sub Status hex codes. Common values: 0xC000006A = wrong password, 0xC0000234 = account locked, 0xC000006D = bad username.

• Filter for repeated failures from the same IP — that's brute force.

  commandCopy

  Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24) } | Group-Object @{ Expression = { $_.Properties[19].Value } } | Sort-Object Count -Descending

• If a service account, check whether its password was rotated without updating the service that uses it.

Step-by-step fix

1. 1

   Find the failing event in Event Viewer.

2. 2

   Decode the Status / Sub Status to find the reason.

3. 3

   Address the root cause (password reset, unlock account, block source IP, etc.).

Common variations of this error

People also see these phrasings of the same problem:

• Windows audit failure 4625
• Logon failure event id 4625

Still broken? Try these

• If the source IP isn't recognized, treat as suspicious and investigate.
• Consider account-lockout policy tuning if false-positive lockouts are common.

Related errors

• Windows Admin
  Group Policy Client service failed the sign-in
• Entra ID
  User not found
• Windows Admin
  The trust relationship between this workstation and the primary domain failed

Related searches

• event id 4625 fix
• windows brute force detection

Frequently asked questions