Audit failure (event 4625) after installing GlassWire

Hi,

Sorry in advance for any mistakes, I’m not very tech-savy and I’m mostly just trying to understand if this is something I should worry about. I noticed a few Event 4625 logs (Audit failure) on my Event Viewer (this is a personal computer and it’s not connected to a domain). They look like this:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/25/2019 1:31:23 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SKELETOR
Description:
An account failed to log on.

Subject:
Security ID: SKELETOR\Pichau
Account Name: Pichau
Account Domain: SKELETOR
Logon ID: 0xAC4535

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: SKELETOR

Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072

Process Information:
Caller Process ID: 0x1790
Caller Process Name: C:\Windows\explorer.exe

Network Information:
Workstation Name: SKELETOR
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

I’ve never seen these events before and they didn’t happen before installing GlassWire. I’ve uninstalled it and they were still happening, once or twice per day. Reinstalling also didn’t fix it. I don’t think this is caused by a virus - I ran several malware/trojan scans (including a boot scan) and they all came back clean. My system also doesn’t show any signs of infection. I was able to “fix” this somehow a while back after uninstalling GlassWire (but I can’t quite remember what I did since it was a while ago) and decided to reinstall it yesterday since I thought it was probably a coincidence and had nothing to do with GlassWire, but only a few hours after installing it, the event started to pop back up on the Event Viewer. I’ve done a fair bit on research about this Event and, in my case, it doesn’t seem to be anything malicious/dangerous, but I’d still like to know if this can be somehow related to GlassWire since it only seems to happen after I install it. I read somewhere that this Event might be related to shared folders permissions - does GlassWire affect that in any way? Also, is it safe to delete GlassWire’s registry keys, or should I leave it alone? I’ve managed to delete all the regular files, but I didn’t touch the registry since I don’t want to risk damaging anything, but I’m wondering if anything in these registry keys could be causing this. Again, sorry for the potentially confusing questions, I’m mostly trying to understand what can be causing this Event.

I have never seen this issue before. It appears to have something to do with logging on as you probably guessed and I don’t think GlassWire can interfere with that.

If you don’t want GlassWire just remove it in add/remove programs. I would not recommend deleting our registry keys if you plan to use the software.

From what I learned, some applications can use explorer.exe to access other accounts on the computer (in this case, the deactivated Guest account), and this can also happen due to incorrect permissions set to shared folders (I don’t have any, as far as I know). I’m not positive GlassWire is causing this, it just seems somewhat related since it only seems to happen after I install it.

Would it be safe to delete the registry keys if I don’t plan on using this software again? I really like it and it was very helpful to me, but this Event Log thing is starting to stress me out a bit.

I’m a GlassWire user who wouldn’t remove Glasswire just because of an “information” audit event that shows a failed logon attempt by Windows Explorer. You wouldn’t know it happened unless you checked the event logs.

Also, the logon failed due to guest access being disabled so there is no security breach.

But had you (or another user) enabled guest access at some point before GlassWire was first installed? This could be to allow someone else to fix a problem without being physically present at the computer.

I agree it seems a bit too much to remove GlassWire because of this, I think I’m being a little paranoid due to reading so many tales of hacking attempts at server accounts resulting in a very similar log (but I suppose that’s unlikely to happen to me since I’m not part of a domain and my computer is behaving normally).

I never enabled the default guest account on this computer (I think it was always deactivated, or I might have deactivated it a long time ago), and I also have remote desktop disabled. Honestly I’m not even sure what might be causing this but since nothing else seems to be malfunctioning I’ll just assume it’s not something I should worry about (and most likely not caused by GlassWire despite the coincidences). Thank you guys for being so patient with me!

1 Like