In our environment, I've found a handful of Event ID 4776 The computer attempted to validate the credentials for an account. Shown below is the output of that event log and it seems the user in question is Guest, which is a disabled account:
I've also found a corresponding Event ID 4625, shown below, from the same time and same Guest user. However, for this event id, I can see Subject Username for which I'm trying to hunt down the user.
My questions are:
- Can someone provide insight on why a disabled Guest account is trying to sign in?
- For Event ID 4625, what is the difference between Subject User Name and Target User Name? I have an idea but I don't want to assume.
Even though the Guest account is disabled, one can still attempt to log on with it. The attempt will obviously fail (as is the case here), resulting in event 4625.
The difference between Subject and Target is simple. Subject is the account which reports the failure (for example this could be the computer account, or a process like IIS), whereas the target is the account in question that failed to log on.
It looks like your issue is a local process that attempts to log on as the Guest account, with PID 5744 (0x1670). So you should see that process in task manager.
You can see a bit more info here: https://system32.eventsentry.com/security/event/4625