Windows eventlarında account lockout ve hatalı şifre deneme loglarını arama. | How to find password attemps location on windows event with event query
Merhaba,
DC sunucularda event viewerda aşağıdaki sorgu ile arama yaparak hatalı şifre denemelerine hızlı bir şekilde erişebiliriz. Data kısmına kullanıcı adını yazmamız yeterli. Bu sorguyu tüm dclerin event viewer kımınsa Custom olarak ekleyip kullanıabilirsiniz.
If you find any wrong password attemps in active directory could you use that query.
Örnek 1; Example
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID='4740')]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='sinan.arslan')]]</Select>
</Query>
</QueryList>
Örnek 2; Example
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID='4625')]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='sinan.arslan')]]</Select>
</Query>
</QueryList>
Event ID 4740 >> Locked Out Event ID
Event ID 4625 >> Logon failure
| Status and Sub Status Codes | Description (not checked against "Failure Reason:") for 4625 |
| 0xC0000064 | user name does not exist |
| 0xC000006A | user name is correct but the password is wrong |
| 0xC0000234 | user is currently locked out |
| 0xC0000072 | account is currently disabled |
| 0xC000006F | user tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller) |
| 0xC0000193 | account expiration |
| 0xC0000071 | expired password |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xC0000224 | user is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
