Management Security

Audit 4625

Individual machines world-wide are being hacked away at everday; we are generally only aware of those attempts that are successful. However, monitoring the failed attempts will help identify potential vulnerabilities.

In order to monitor Failed Login attempts, we can take advantage of the Windows Event 4625, which signifies that a login has failed to gain access to the pc. In combination with Event Scheduler, we can automate this process into a recurring alert that emails us as soon as a failed login is detected.

See the code and procedure below:

$EventId = 4625

$A = Get-WinEvent -MaxEvent 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$Message = $A.Message
$EventID = $A.Id
$MachineName = $A.MachineName
$Source = $A.ProviderName

Get-WinEvent -MaxEvents 1 | foreach {
    		$sid = $_.userid;
    		if($sid -eq $null) { return; }
    		$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
    		$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
    		Write-Host $objUser.Value;

$EmailFrom = ""
$EmailTo = ""
$Subject ="Alert From $MachineName"
$Body = "EventID: $EventID`nSource: $Source`nMachineName: $MachineName `nMessage: $Message"
$SMTPServer = ""
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, PORT_NUM)
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("username", "password");
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)

How to configure and run Audit_2025 Script (Automatic Alerts for Failed Login):

  1. Log onto target machine, user privileges (admin/regular) doesn’t matter

Setup Script:

  1. Navigate to the local C: drive on the computer
  2. Create a .ps1 file named “Audit_4625”
  3. Open this file in the text editor of your choice
  4. Copy and paste the “Audit_4625” script from above
  5. Confirm to: email is YOUR_EMAIL
  6. Save the file

Setup PowerShell:

  1. In the start search field, search for either PowerShell or PowerShell ISE, right-click run as administrator
  2. In the PowerShell window, run the command Get-ExecutionPolicy, if output is Restricted move to sub-step
    1. If Execution Policy is restricted, run the following command:

Set-ExecutionPolicy RemoteSigned

  1. Run the Get command again to check status update

Setup Task:

  1. Navigate to Event Viewer
  2. In Event Viewer Left-Hand Pane, select Windows Logs > Security
  3. Filter events by ID: 4625 (id for failed login)
    1. If no events are logged, filter for ID: 4624 instead (id for successful login)
  4. Right-click any event with this ID, select Attach a task to this event, a Create Basic Task Wizard will popup
  5. Rename task Security_Microsoft-Windows-Security-Auditing_4625
    1. Optional add a description of the task “Automatic email alert when failed login attempt on some user”
  6. Click next, leave default event trigger settings
    1. If Event ID is 4624, that is ok for setup, we will change later in Task Scheduler
  7. Click next, select action as Start a Program
  8. Click next, on the Action sub-menu Start a Program, enter the file path for Windows Powershell in the Program/Script field


*easiest to search/browse for file*

  1. In the Add Arguments (optional) field, type the path to script Audit_4625 in the C: Drive – C:\Audit_4625.ps1
  2. Click next, verify information, select Finish

Setup Task Scheuler:

  1. Navigate to Task Scheduler
  2. In either Active Tasks or Event Viewer Tasks, locate the new Security_Microsoft-Windows-Security-Auditing_4625 task
  3. Double-click task and task properties window will popup
  4. In general tab, select radio button Run whether user is logged on or not, select check box Run with highest privileges
  5. Confirm configuration is correct for what your machine runs with
  6. On trigger tab, double-click trigger, change Event ID to 4625, click OK
  7. On conditions tab, uncheck boxes Start the task only if the computer is on AC power and Stop if the computer switches to battery power, click OK
  8. Confirm changes and select OK, type user password if prompted to confirm changes

Test Script:

  1. Log off of user, wait for login screen to appear
  2. Type in wrong password
  3. If configured correctly, YOUR_EMAIL will receive an email alert with details of the triggered event

Known Bugs:

  1. Due to Microsoft security, if failed login attempt of user with Microsoft account, alert will fire but will not resolved SID due to it being set to NULL
  2. Event may not trigger/script will throw error if no logs associated with the id are found