A Handy Reference for Windows Logon Types with Status and Substatus Codes

Published by Ryan Miller on

This list of logon types and status/substatus for Event ID 4625 comes from Microsoft documentation for threat-protection auditing, and is beneficial for analysts and people that are curious about what is going on in their PC.

Logon typeLogon titleDescription
2InteractiveA user logged on to this computer.
3NetworkA user or computer logged on to this computer from the network.
4BatchBatch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5ServiceA service was started by the Service Control Manager.
7UnlockThis workstation was unlocked.
8NetworkCleartextA user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9NewCredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10RemoteInteractiveA user logged on to this computer remotely using Terminal Services or Remote Desktop.
11CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Status\Sub-Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064User logon with misspelled or bad user account
0xC000006AUser logon with misspelled or bad password
0XC000006DThis is either due to a bad username or authentication information
0XC000006EUnknown user name or bad password.
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (aka logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon, but the Netlogon service was not started.
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.

Ryan Miller

A husband, a father of 3, my daughter's sounding board, writes on all topics of cybersecurity, an expert at dad humor, a security engineer, an analyst, a network administrator, and Desktop Support Tier I-III.