Track Failed Sign-In Attempts with Audit Policy in Windows 10/11

Track Failed Sign-In Attempts with Audit Policy in Windows 10/11​

Difficulty: Intermediate | Time Required: 15 minutes
Failed sign-in attempts can be an early warning sign of a forgotten password, a misconfigured service, a saved credential problem, Remote Desktop probing, or even an attempted break-in. Windows 10 and Windows 11 can record these attempts in the Security event log, but you may need to enable the correct audit policy first.
This tutorial shows you how to turn on failed logon auditing, test it, and review the results using Event Viewer. It applies to Windows 10 and Windows 11, with notes for Home editions and domain-joined PCs.

Prerequisites​

Before you begin, make sure you have:

1. An administrator account on the PC.
2. Windows 10 or Windows 11.
3. Access to one of the following:
   • Local Security Policy on Pro, Enterprise, and Education editions.
   • Local Group Policy Editor on Pro, Enterprise, and Education editions.
   • Command Prompt or Windows Terminal as administrator, which is useful on Home editions.
4. Permission to view the Security log in Event Viewer.

Note: Windows 10/11 Home editions usually do not include the Local Security Policy or Group Policy Editor consoles. If you are using Home, use the auditpol command method below.

What You Will Enable​

Windows records failed sign-in attempts under the audit category:
Logon/Logoff > Audit Logon
The main event you will look for is:
Event ID 4625 - An account failed to log on
This event can appear for local sign-ins, Remote Desktop attempts, network access attempts, saved credential failures, scheduled tasks, services, mapped drives, or other authentication activity.

Method 1: Enable Failed Logon Auditing with Local Security Policy​

Use this method on Windows 10/11 Pro, Enterprise, or Education.

1. Press Windows + R to open the Run dialog.
2. Type:
   secpol.msc
3. Press Enter.
4. In Local Security Policy, expand:
   Advanced Audit Policy Configuration
5. Expand:
   System Audit Policies - Local Group Policy Object
6. Select:
   Logon/Logoff
7. In the right pane, double-click:
   Audit Logon
8. Check:
   Configure the following audit events
9. Select:
   Failure
10. Optional but recommended: also select Success if you want to compare failed and successful sign-ins.
11. Click Apply, then OK.
12. Close Local Security Policy.

Tip: For most home and small-office users, enabling Failure is enough if your goal is to spot incorrect passwords or suspicious access attempts. Enabling both Success and Failure gives a fuller picture but may create more log entries.

Method 2: Enable Failed Logon Auditing with Group Policy Editor​

This method is very similar, but uses Local Group Policy Editor.

1. Press Windows + R.
2. Type:
   gpedit.msc
3. Press Enter.
4. Browse to:
   

   Computer Configuration
   > Windows Settings
   > Security Settings
   > Advanced Audit Policy Configuration
   > Audit Policies
   > Logon/Logoff

5. Double-click:
   Audit Logon
6. Select:
   Configure the following audit events
7. Check:
   Failure
8. Optionally check Success.
9. Click Apply, then OK.
10. To apply policy immediately, open Command Prompt or Windows Terminal as administrator and run:
    gpupdate /force

Note for domain-joined PCs: If your computer is joined to a workplace or school domain, domain Group Policy may override your local settings. If your changes do not stick, check with your administrator.

Method 3: Enable Failed Logon Auditing from Command Line​

This method works well on Windows 10/11 Home and is also useful for quick setup.

1. Right-click Start.
2. Select Terminal (Admin), Windows PowerShell (Admin), or Command Prompt (Admin).
3. Run this command:
   auditpol /set /subcategory:"Logon" /failure:enable
4. Optional: enable successful logon auditing too:
   auditpol /set /subcategory:"Logon" /success:enable
5. Confirm the current setting:
   auditpol /get /subcategory:"Logon"
6. You should see Failure listed as enabled for the Logon subcategory.

Tip: auditpol is often the fastest way to check what Windows is actually auditing, especially if you suspect a policy setting is not being applied.

Test the Audit Policy​

Now create a safe failed sign-in attempt so you can verify logging.

1. Lock your PC by pressing:
   Windows + L
2. At the sign-in screen, intentionally enter the wrong password or PIN for your account.
3. Do this only once or twice.
4. Sign in normally with the correct password, PIN, Windows Hello method, or other valid credential.

Warning: Do not repeatedly enter the wrong password on a work, school, or domain account. Your organization may have an account lockout policy that temporarily disables the account after too many failed attempts.

View Failed Sign-In Attempts in Event Viewer​

1. Right-click Start.
2. Select Event Viewer.
3. Expand:
   Windows Logs
4. Click:
   Security
5. In the right pane, click:
   Filter Current Log...
6. In the Event IDs box, type:
   4625
7. Click OK.
8. Review the filtered results.
9. Double-click an event to open it.
10. On the General tab, look for key details such as:
    • Account Name
    • Account Domain
    • Failure Reason
    • Logon Type
    • Source Network Address
    • Workstation Name
    • Process Name
    • Status and Sub Status

Understanding Common Logon Types​

The Logon Type field helps explain what kind of sign-in attempt occurred.
Common examples include:

• Type 2 - Interactive: Someone tried to sign in at the keyboard or local console.
• Type 3 - Network: Access attempt over the network, such as a shared folder.
• Type 7 - Unlock: Attempt to unlock an existing session.
• Type 10 - RemoteInteractive: Remote Desktop sign-in attempt.
• Type 11 - CachedInteractive: Sign-in using cached credentials, often seen when a domain controller is unavailable.

If you see repeated Type 10 failures from unfamiliar addresses, check whether Remote Desktop is enabled and exposed. If you see many Type 3 failures, look for mapped drives, file sharing attempts, stored credentials, or devices trying to connect with an old password.

Create a Custom View for Failed Sign-Ins​

To make future checks easier, create a saved view.

1. In Event Viewer, right-click Custom Views.
2. Select:
   Create Custom View...
3. In Logged, choose a time range such as Any time or Last 7 days.
4. Under Event level, leave the default options.
5. From Event logs, select:
   Windows Logs > Security
6. In Event IDs, enter:
   4625
7. Click OK.
8. Name the view:
   Failed Sign-In Attempts
9. Click OK.

Now you can return to this view whenever you want to check failed sign-ins quickly.

Troubleshooting and Helpful Notes​

I do not see any 4625 events​

Try these checks:

1. Confirm auditing is enabled:
   auditpol /get /subcategory:"Logon"
2. Make sure you are looking under:
   Event Viewer > Windows Logs > Security
3. Refresh Event Viewer after testing.
4. Check whether domain policy is overriding local policy.
5. Make sure you generated a real failed sign-in attempt after enabling the policy.

I see many failures from my own computer​

This is common after a password change. Check for:

• Old saved passwords in Credential Manager.
• Mapped network drives.
• Scheduled tasks.
• Services running under an old account password.
• Remote Desktop clients with saved credentials.
• Apps that sync mail, files, or network resources.

The Security log is full or older events are missing​

Windows automatically manages event logs based on maximum log size and retention settings.
To adjust the Security log size:

1. Open Event Viewer.
2. Go to:
   Windows Logs > Security
3. Right-click Security.
4. Select Properties.
5. Increase Maximum log size if needed.
6. Choose whether to overwrite old events as needed.

Warning: The Security log can contain sensitive usernames, computer names, IP addresses, and authentication details. Be careful when posting screenshots or logs on a public forum. Redact personal or organization-specific information first.

Should I enable every audit policy?​

No. More auditing is not always better. Enabling too many categories can create noise and make useful events harder to find. For tracking failed sign-ins, start with Audit Logon: Failure. Add other categories only when you have a specific reason.

Conclusion​

Enabling failed logon auditing is a practical way to improve visibility into your Windows 10 or Windows 11 security. Once configured, Event ID 4625 gives you useful details about failed sign-in attempts, including the account involved, the type of logon, and possible network source information.
This is especially helpful for spotting repeated password failures, Remote Desktop probing, stale saved credentials, and suspicious access attempts. With a custom Event Viewer view, you can quickly check your system whenever something seems off.
Key Takeaways:

• Failed sign-in attempts are recorded as Event ID 4625 in the Security log.
• Enable Audit Logon: Failure using Local Security Policy, Group Policy, or auditpol.
• Windows 10/11 Home users can use the command-line method.
• The Logon Type field helps identify whether the attempt was local, network-based, or Remote Desktop-related.
• Domain or workplace policies may override local audit settings.
• Treat Security log details as sensitive information when sharing online.

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.