Event ID 4723 – An attempt was made to change an account’s password. + Event ID 4625

event-viewerSecurityuser-accountswindowswindows 10

I was going through Event Viewer to track down a software issue and came across these security logs:

Event ID 4723
An attempt was made to change an account's password.

Subject:
  Security ID:   SYSTEM
  Account Name:   DESKTOP-AAAAAAA$
  Account Domain:   WWWWWW
  Logon ID:   0x3E7

Target Account:
  Security ID:   DESKTOP-AAAAAAA\Administrator
  Account Name:   Administrator
  Account Domain:   DESKTOP-AAAAAAA

Additional Information:
  Privileges   -

XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{000000-000-00000-00000-000000000}" /> 
  <EventID>4723</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>13824</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2021-08-26T17:06:55.7385645Z" /> 
  <EventRecordID>21161</EventRecordID> 
  <Correlation ActivityID="{******-****-*****-****-******701}" /> 
  <Execution ProcessID="1124" ThreadID="1172" /> 
  <Channel>Security</Channel> 
  <Computer>DESKTOP-AAAAAAA</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data Name="TargetUserName">DefaultAccount</Data> 
  <Data Name="TargetDomainName">DESKTOP-AAAAAA</Data> 
  <Data Name="TargetSid">S-1-5-21-00000000-00000000-0000000-503</Data> 
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">DESKTOP-AAAAAAA$</Data> 
  <Data Name="SubjectDomainName">WWWWWW</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="PrivilegeList">-</Data> 
 </EventData>
 </Event>

Followed by
Event ID 4625
An account failed to log on.

Subject:
  Security ID:   SYSTEM
  Account Name:   DESKTOP-AAAAAAA$
  Account Domain:   WWWWWW
  Logon ID:   0x3E7

Logon Type:     2

Account For Which Logon Failed:
  Security ID:   NULL SID
  Account Name:   Administrator
  Account Domain:   DESKTOP-AAAAAAA

Failure Information:
  Failure Reason:   Account currently disabled.
  Status:     0xC000006E
  Sub Status:   0xC0000072

Process Information:
  Caller Process ID: 0x464
  Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:
  Workstation Name: DESKTOP-AAAAAAA
  Source Network Address: -
  Source Port:   -

Detailed Authentication Information:
  Logon Process:   Advapi
  Authentication Package: Negotiate
  Transited Services: -
  Package Name (NTLM only): -
  Key Length:   0

XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{000000-000-00000-00000-000000000}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2021-08-26T17:06:55.7411056Z" /> 
  <EventRecordID>21162</EventRecordID> 
  <Correlation ActivityID="{******-****-*****-****-******701}" /> 
  <Execution ProcessID="1124" ThreadID="1212" /> 
  <Channel>Security</Channel> 
  <Computer>DESKTOP-AAAAAAA</Computer> 
  <Security /> 
  </System>

 <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">DESKTOP-AAAAAAA$</Data> 
  <Data Name="SubjectDomainName">WWWWWW</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">DefaultAccount</Data> 
  <Data Name="TargetDomainName">DESKTOP-AAAAAAA</Data> 
  <Data Name="Status">0xc000006e</Data> 
  <Data Name="FailureReason">%%2310</Data> 
  <Data Name="SubStatus">0xc0000072</Data> 
  <Data Name="LogonType">2</Data> 
  <Data Name="LogonProcessName">Advapi</Data> 
  <Data Name="AuthenticationPackageName">Negotiate</Data> 
  <Data Name="WorkstationName">DESKTOP-AAAAAAA</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x464</Data> 
  <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data> 
  <Data Name="IpAddress">-</Data> 
  <Data Name="IpPort">-</Data> 
  </EventData>
  </Event>

There are some for the Administrator account, and some for the DefaultAccount a couple today, more from a week a go. Some are on consecutive days.
Is this something I should be worried about?
Is someone trying to access my PC/hack into an administrator account?
What triggers these logs?
I have not been trying to change any password.
I'm on a local account(disabled all Microsoft account settings after activation).
Antivirus has always been enabled (Bitdefender).
Scanned with Windows Security, Bitdefender, Malwarebytes – all clean.
Windows 10 Pro/Home (latest updates, Bitdefender Internet Security, local account)- it seems to be happening on both my computers.
Thanks

Best Answer

From the System IDs (SID) that are used in the XML, these events are initiated from your computer by installed software or system service.

It's possible that these were issued by your antivirus checking out your security settings, but more digging could be useful.

It could also come from some process trying to impersonate the Administrator account and gain super-privileges. This possibility is worrisome.

Event 4625 comes from C:\Windows\System32\lsass.exe which is a legitimate and essential Windows component dealing with security and authenticating.

The "Logon Type" is 2, which means interactive logon. It's extremely puzzling why would anyone try to login to your computer as the built-in Administrator account (which is disabled). I hope that your computer is not open to the internet. However, this is less worrying, since lsass.exe is heavily protected.

Event 4723 is more worrisome and the information about its originator only specifies the process number, but too late to find more info:

<Execution ProcessID="1124" ThreadID="1172" />

Suggestion

I would suggest to try and trap at least event 4723 while it's happening.

In the Event Viewer, you may right-click the event and select "Attach Task To This Event", with the action of "Display a message (deprecated)".

Once the message is displayed, you could in Event Viewer find the Process ID, then find in Task Manager the process that caused the event. If Task Manager does not give enough info, use the better Process Explorer.

Conclusion/Opinion

Both these events are generated by lsass.exe, about which I'm not that worried.

I believe that this is Bitdefender doing an audit of the computer, and you could verify it by disabling it temporarily. Windows Defender is now just about as good as any other antivirus, and is certainly better integrated into Windows.

If you would like more peace of mind, you could deep scan with more well-known antivirus products, such as Kaspersky.

I would say that your computer is not infected.

Related Question