Windows Event Viewer: Strange Audit Failure 4625

RonWeasley · March 2022

Having installed Bitdefender Total Security on Windows 11 recently, I am noticing strange Event Viewer entries. Every few minutes, I am getting an Audit Failure 4625 event, "An account failed to log on."

It is always preceded by an also worrying 4723 Audit Success event "An attempt was made to change an account's password." I've had 24 of these event pairs in the last hour.

Doing some googling, there has been talk of Bitdefender being responsible for these. Please can anyone confirm this? It is superficially worrying and would be good to know if BD is behind it so I can relax!

<Data Name="SubjectUserName">REDACTED$</Data>

<Data Name="SubjectDomainName">WORKGROUP</Data>

<Data Name="TargetUserName">Administrator</Data>

<Data Name="TargetDomainName">REDACTED</Data>

<Data Name="LogonProcessName">Advapi</Data>

<Data Name="AuthenticationPackageName">Negotiate</Data>

<Data Name="WorkstationName">REDACTED</Data>

<Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>

</EventData>

</Event>

Alexandru_BD · April 2022

Hello @RonWeasley and welcome to the Community!

I think these are related to the bdagent.exe, but i'm not 100% sure. I would recommend you to raise a ticket for the Technical Support Teams to provide an accurate response.

You can get in touch with our engineers by choosing one of the contact methods available here:

https://www.bitdefender.com/consumer/support/

Stay safe.

RonWeasley · April 2022

Just for the record, folks, Bitdefender support have confirmed that this behaviour is normal and is simply caused by Bit Defender Agent checking to see if a password is set.

Alexandru_BD · April 2022

Hi @RonWeasley,

Thank you for sharing the conclusion with us. Just as I suspected, the agent was the culprit 🙂

Windows Event Viewer: Strange Audit Failure 4625

Answers

All Time Leaders

Categories

Defenders of the month