I was going through Event Viewer to track down a software issue and came across these security logs:
Event ID 4723
An attempt was made to change an account's password.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-AAAAAAA$
Account Domain: WWWWWW
Logon ID: 0x3E7
Target Account:
Security ID: DESKTOP-AAAAAAA\Administrator
Account Name: Administrator
Account Domain: DESKTOP-AAAAAAA
Additional Information:
Privileges -
XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{000000-000-00000-00000-000000000}" />
<EventID>4723</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2021-08-26T17:06:55.7385645Z" />
<EventRecordID>21161</EventRecordID>
<Correlation ActivityID="{******-****-*****-****-******701}" />
<Execution ProcessID="1124" ThreadID="1172" />
<Channel>Security</Channel>
<Computer>DESKTOP-AAAAAAA</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">DefaultAccount</Data>
<Data Name="TargetDomainName">DESKTOP-AAAAAA</Data>
<Data Name="TargetSid">S-1-5-21-00000000-00000000-0000000-503</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-AAAAAAA$</Data>
<Data Name="SubjectDomainName">WWWWWW</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Followed by
Event ID 4625
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-AAAAAAA$
Account Domain: WWWWWW
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: DESKTOP-AAAAAAA
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072
Process Information:
Caller Process ID: 0x464
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: DESKTOP-AAAAAAA
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{000000-000-00000-00000-000000000}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2021-08-26T17:06:55.7411056Z" />
<EventRecordID>21162</EventRecordID>
<Correlation ActivityID="{******-****-*****-****-******701}" />
<Execution ProcessID="1124" ThreadID="1212" />
<Channel>Security</Channel>
<Computer>DESKTOP-AAAAAAA</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-AAAAAAA$</Data>
<Data Name="SubjectDomainName">WWWWWW</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">DefaultAccount</Data>
<Data Name="TargetDomainName">DESKTOP-AAAAAAA</Data>
<Data Name="Status">0xc000006e</Data>
<Data Name="FailureReason">%%2310</Data>
<Data Name="SubStatus">0xc0000072</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">Advapi</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DESKTOP-AAAAAAA</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x464</Data>
<Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
There are some for the Administrator account, and some for the DefaultAccount a couple today, more from a week a go. Some are on consecutive days.
Is this something I should be worried about?
Is someone trying to access my PC/hack into an administrator account?
What triggers these logs?
I have not been trying to change any password.
I'm on a local account(disabled all Microsoft account settings after activation).
Antivirus has always been enabled (Bitdefender).
Scanned with Windows Security, Bitdefender, Malwarebytes – all clean.
Windows 10 Pro/Home (latest updates, Bitdefender Internet Security, local account)- it seems to be happening on both my computers.
Thanks
Best Answer
From the System IDs (SID) that are used in the XML, these events are initiated from your computer by installed software or system service.
It's possible that these were issued by your antivirus checking out your security settings, but more digging could be useful.
It could also come from some process trying to impersonate the Administrator account and gain super-privileges. This possibility is worrisome.
Event 4625 comes from C:\Windows\System32\lsass.exe which is a legitimate and essential Windows component dealing with security and authenticating.
The "Logon Type" is
2
, which means interactive logon. It's extremely puzzling why would anyone try to login to your computer as the built-in Administrator account (which is disabled). I hope that your computer is not open to the internet. However, this is less worrying, sincelsass.exe
is heavily protected.Event 4723 is more worrisome and the information about its originator only specifies the process number, but too late to find more info:
Suggestion
I would suggest to try and trap at least event 4723 while it's happening.
In the Event Viewer, you may right-click the event and select "Attach Task To This Event", with the action of "Display a message (deprecated)".
Once the message is displayed, you could in Event Viewer find the Process ID, then find in Task Manager the process that caused the event. If Task Manager does not give enough info, use the better Process Explorer.
Conclusion/Opinion
Both these events are generated by
lsass.exe
, about which I'm not that worried.I believe that this is Bitdefender doing an audit of the computer, and you could verify it by disabling it temporarily. Windows Defender is now just about as good as any other antivirus, and is certainly better integrated into Windows.
If you would like more peace of mind, you could deep scan with more well-known antivirus products, such as Kaspersky.
I would say that your computer is not infected.