You may see “An account failed to log on” in Event Viewer with ID 4625 if there are failed attempts to your IIS server from a user or service.
In my case, this was a server in the Exchange environment. The error message we saw in the Event Viewer is below. It was being logged after half an hour.
An account failed to log on.
Security ID: SYSTEM
Account Domain: CONTOSO
Logon ID: 0x5f9
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Failure Reason: Account currently disabled.
Sub Status: 0xc0000072
Caller Process ID: 0x2c0
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Source Network Address: –
Source Port: –
Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
- OS is Windows Server 2008 R2
- Exchange Server 2010
- The server is exposed to internet
Solution for Event ID 4625 (An account failed to log on)
Check the IIS logs to determine where the requests are coming from around the time you Event ID 4625 is logged.
In my case, I saw that there was a certain server making these requests. Upon checking the server, we saw that an obsolete third-party service was causing the failed attempts. Disabling this service solved the issue.
If you are seeing 0xc0000005 exception code in regards to your w3wp.exe crash, check this post out: 0xc0000005 exception code causes w3wp.exe crashes
- Microsoft documentation about Event ID 4625
- Additional information for Event ID 4625
- Additional information for Event ID 4624