What is error code 0xC0000224?

One of the first security best practices Windows administrators learn is to audit failed login attempts. An excessive number of failed login attempts may signal a cyber attack, but simply knowing that an attacker is trying to gain access to user accounts isn’t enough to put a stop to the attack. You also need to know how the attacker is trying to get in. Windows provides this information, and this article offers guidelines for interpreting that info.

Event Log Entry for a Failed Login Attempt

You can access the Event Viewer by entering the Eventvwr command at the Windows Run prompt. When the Event Viewer opens, navigate through the console tree to Windows Logs | Security.

The Windows event logs assign an Event ID to each event. Event ID 4624 corresponds to a successful logon, whereas Event ID 4625 corresponds to a failed login. You can see what Event ID 4625 looks like in Figure 1.

Figure 1

Event ID 4625 is logged in response to a failed login.

As you look at the figure above, you can clearly see that an audit failure has occurred in response to an failed login. You can also see the date and time at which the event was logged, and that the user who attempted to login was using a workgroup account. This information alone is useful, but it is often possible to dig a little bit deeper and gain some additional insight.

One of the things that you might have noticed in the previous figure was that the area of the screen detailing the selected event contains two tabs: General and Details. If you select the Details tab, you can see additional information about the event, although much of this information can also be accessed through the General tab. You can see a lot of the event details in Figure 2.

Figure 2

These are some of the details that are logged in response to a failed login.

The Details tab includes information such as the name of the user account for which the login was attempted and the user’s SID. You can also see the domain name for which the login was attempted. In this case, the computer was not domain-joined, so the computer name is listed in place of the domain name.

Another thing that you might notice about the Details tab is that it provides a status and a sub status for the failed login. Unfortunately, both the Status and the Substatus fields are populated with hexadecimal data rather than a text-based description of the event. Even so, it is relatively easy to use these codes to figure out what is going on.

Failed Login Error Codes

Here are some of the codes that Microsoft uses:

• 0xC000006A - this code indicates that the username is valid, but that the user has entered an incorrect password.
• 0xC000006D – Either the username or password is incorrect.
• 0xC000006F - When this code is displayed it means that the organization has put into place time-based restrictions for logins, and the user has attempted to login outside of their allotted time. Some organizations, for example, will allow users to login only during business hours.
• 0xC000015B - This is an error indicating that the user does not have permission to login. Such an error might occur, for example, if a user lacks permissions to login locally.
• 0xC0000064 - Someone attempted to login using a username that does not exist. This can happen because an attacker does not have a list of valid usernames and is simply trying to login using common
• 0xC0000070 - This code often indicates that a user has attempted to login from an unauthorized device.
• 0xC0000071 - This error code means that the user’s password has expired.
• 0xC0000072 - This code indicates that the account the user tried to login to has been disabled by an administrator.
• 0xC0000133 - The Windows authentication process is based on Kerberos, which is a time-sensitive protocol. Kerberos authentication will fail and this code will be produced if the workstation’s clock is too far out of sync with the clock on the domain controller.
• 0xC0000193 - This error occurs when someone attempts to login using an expired account.
• 0xC0000224 - This code indicates that the login is allowed, but that the user is going to be required to change his/her password.
• 0xC0000234 - When this code is displayed it means that the user has tried to login to an account that is currently locked out.

In Figure 2, the event status is listed as 0xC00006D, which is a generic indication of a bad username or password. The sub status is 0xc00006A, which means that the password is incorrect. When you put all of this information together, it shows that someone has tried to log into this machine’s local administrator account, but used an incorrect password. If such an error is occurring consistently, it could be an indication that someone is trying to exploit the machine. It, therefore, might be wise to disable the local administrator account or assign it a more secure password.

• The column header text correspond to these Error Codes in the Event Log entry..

  ERROR_CODE ERROR_TEXT
  0xc0000064 Given user name not exist. 0xc000006a User name is correct but the password is wrong.

  0xc000006d The logon attempt failed for other reasons.

  0xc000006f User tried to logon outside his day of week or time of day restrictions. 0xc0000070 Workstation restriction 0xc0000071 Password expired 0xc0000072 Account is currently disabled. 0xc0000133 clocks between DC and other computer too far out of sync 0xc000015b The user has not been granted the requested logon type at this machine 0xc0000193 Account expired 0xc0000224 User is required to change password at next logon

  0xc0000234 User is currently locked out.

  
  

• Any ideas?  Posting this stuff on late Friday night probably isn't a good idea.
  

  
  Spice (1) flagReport
  Was this post helpful? thumb_up thumb_down

• What are you using for the user name? I know that I have had to include the server name in front of the user name to be able to log in to my FTP sites.
  

• For user name the users are just using  user name with no prefixes or suffixes.. as an example if I was one of these users my user name would be "jpacella"  not "domain\jpacella" or "" or any variation with host or server name. 

  Spice (1) flagReport

  Was this post helpful? thumb_up thumb_down

• Jpacella, can you give more feedback from users? What error they get? What FTP clients they use to access your server? Because this really looks like an FTP client problem. Did you try to connect to your FTP server from home using different credentials?

• Unless an error number appeared in the two right columns, the error number in the first column did not result in an error.. the user was able to log on.  In most cases the first number matches the 2nd column (the 2nd column is Audit Success).

  So all but one user (and that user was using the wrong password) had no problem logging onto FTP, and yet every log on generated a Audit Failure.
  

  Spice (1) flagReport

  Was this post helpful? thumb_up thumb_down

• According to what i could find out and actually according to this post - I can suggest that this is the client's software for FTP access causing this errors, like FileZilla or similar, it also can be mapped FTP drive.

  So I can advice you to get feedback from the users: what FTP software they are using. 

  And also you can create 1 temp account  with "domain\jpacella" username and test from outside if the error persists using such type of credentials. 

• When I log in FTP with user name

  FtpUser

  I get

  Audit Failure Event ID 4776 Credential Validation

  Audit Success Event ID 4648 Logon

  Audit Success Event ID 4624 Logon

  When I log in FTP with user name

  domain\FtpUser

  I get

  NOTHING.

  Spice (1) flagReport

  Was this post helpful? thumb_up thumb_down

• It is very strange that you get nothing in security log... but anyway now you know what causes these audit failures.

• Well I know as much now as I did when I asked... I know that each successful log in is generating a failure as well. I still don't know why.