What is the event ID for account lockout?
Michael Henderson
Published Mar 18, 2026
What is the event ID for account lockout?
Event ID 4740
Windows generates two types of events related to account lockouts. Event ID 4740 is generated on domain controllers, Windows servers, and workstations every time an account gets locked out. Event ID 4767 is generated every time an account is unlocked.
What event ID would you look for to identify an audit log being cleared?
Event 1102 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.
What is Substatus code 0xC0000064?
Failure Information\Sub Status 0xC0000064 – “User logon with misspelled or bad user account”.
Why is %% 2313 failure?
The Failure reason mentioned in the FailureReason %#13 means – Unknown user name or bad password (529). Could you please makesure your domain name or domain controller are correct.
What is event ID in Event Viewer?
The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user’s authentication fails, the system may generate Event ID 672.
How do I check event locker for account lockout?
Select “Filter Current Log…” on the right pane. Replace the field that says “” with “4740“, then select “OK“. Select “Find” on the right pane, type the username of the locked account, then select “OK“. The Event Viewer should now only display events where the user failed to login and locked the account.
How do I recover deleted event viewer logs?
Reviewing events
- Open the Event Viewer and search the security log for event ID 4656 with a task category of “File System” or “Removable Storage” and the string “Accesses: DELETE”.
- Review the report. The “Subject: Security ID” field will show who deleted each file.
What is Event Record ID?
EventRecordID is the index number of the event in that particular Event log. EventID is used to identify different type of events.
What is security ID null SID?
This blank or NULL SID if a valid account was not identified – such as where the username specified does not correspond to a valid account logon name. Account Name: The account logon name specified in the logon attempt.
What is the event ID for bad password?
Event ID 529 – Logon Failure: Unknown User Name or Bad Password
| Event ID | 529 |
|---|---|
| Category | Logon/Logoff |
| Type | Failure Audit |
| Description | Logon failure – Unknown username or bad password |
What does Ntlm mean?
LAN Manager
Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity.
What is an event ID?
Event identifiers uniquely identify a particular event. Each event source can define its own numbered events and the description strings to which they are mapped in its message file. Event viewers can present these strings to the user.
