You may see “An account failed to log on” in Event Viewer with ID 4625 if there are failed attempts to your IIS server from a user or service.
In my case, this was a server in the Exchange environment. The error message we saw in the Event Viewer is below. It was being logged after half an hour.
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name:
Account Domain: CONTOSO
Logon ID: 0x5f9
Logon Type: 3Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072Process Information:
Caller Process ID: 0x2c0
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exeNetwork Information:
Workstation Name:
Source Network Address: –
Source Port: –Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
Environment:
- OS is Windows Server 2008 R2
- Exchange Server 2010
- The server is exposed to internet
Solution for Event ID 4625 (An account failed to log on)
Check the IIS logs to determine where the requests are coming from around the time you Event ID 4625 is logged.
In my case, I saw that there was a certain server making these requests. Upon checking the server, we saw that an obsolete third-party service was causing the failed attempts. Disabling this service solved the issue.
If you are seeing 0xc0000005 exception code in regards to your w3wp.exe crash, check this post out: 0xc0000005 exception code causes w3wp.exe crashes
References: