Active Directory & Office 365 Reporting Tool

What 0xc000006a – User Logon Misspelled or Bad Password. Have you encountered the 0xc000006a status code while troubleshooting event ID 4625? This article dives into the event code 0xc000006a – user logon with misspelled or bad password – and its relationship with event ID 4625.

Additionally, we cover the steps to why event code 0xc000006a occurs and how to fix. Finally, the guide includes a PowerShell function that you use to find all event IDs 4625 that have event status code 0xc000006a.

What is 0xc000006a - User Logon with Misspelled or Bad Password?

0xc000006a is a failure status code of event ID 4625 – An account failed to log on. 

Event ID 4625 creates “an account failed to log on,” but it does not explain why it failed. Therefore, to determine the reason, one must examine the status code 0xc000006a and its Sub Status code, which reveals why the logon attempt failed.

How to Decode Event Status Code 0xc000006a with its Sub Status Code

By examining the “Failure Reason” of event ID 4625, you identify a more granular reason for the failure. For instance, my event log’s “Failure Reason” is “unknown user name or bad password.”

This specific reason gets us closer to the cause of the log on failure.

However, accepting “unknown user name or bad password”  may be misleading. Therefore, to determine the exact cause of this issue, you need to review the Sub Status code.

Fortunately, Microsoft has provided a page with Status and Sub Status codes and their descriptions. According to the referenced Microsoft page, the 0xC000006D status code means that “this is either due to a bad username or authentication information.”

Examining the Sub Status code of this event – 0xC000006A – gives us the exact reason for the failure. 

When I looked up the Sub Status code – 0xC000006A – on the Microsoft page I referenced earlier, it describes it as “user logon with misspelled or bad password.”

This description is as specific as it gets. The reason for event ID 4625 – “an account failed to log on,” – registered on my Domain Controller’s event log is that the user misspelled or entered the wrong password

So, we ask the user to ensure they entered their username and password correctly. Moreover, we recommend that the user changes their password. 

Alternatively, we reset the user’s password. 

Important note: when you visit the URL where Microsoft explained the Status and Sub Status codes, scroll down to the table to view the codes and their descriptions. 

Analyze Event Logs with 0xC000006D Status Code Using Event Viewer

It is the perfect time to discuss how to utilize the Event Viewer’s filtering feature to display events with ID 4625. By doing this, we easily save the results as a CSV file, which makes analyzing the event log in detail a breeze!

To filter the Security event log and export it to a CSV file: 

1. Right click it and select Filter Current Log… 

2. Next, enter 4625 in the <All Event IDs> field and click OK. Doing this returns only events with ID 4625. 

3. After that, right click the Security event log again and select Save Filtered Log Files As…

4. Finally, choose a location where to save the file. Make sure to change the “Save as type” option to CSV. Next, give your file a catchy name and simply hit “Save”.

So, now that you’ve got the events saved in a CSV file, it’s time to start analysing them! One way to do this is to examine the sub status codes and their meanings. By doing this, you identify patterns or similarities between them.

This information proves valuable in helping you make sense of the data in your attempt to figure out the root cause of event ID 4625. 

Regrettably, the CSV file presents event logs in an unfriendly format. However, in this next section, we discuss a more effective method of retrieving and analysing event ID 4625 and its corresponding status and sub-status codes by utilizing PowerShell.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Analyse Event Logs with 0xC000006D Status Code with Windows PowerShell

To begin, we walk through the step by step process of running PowerShell commands to generate a report of events with 0xC000006D status code. Additionally, we introduce a custom PowerShell function that we created to improve the accuracy of results and streamline the task’s execution time.

Run PowerShell Commands Manually to Return Event Logs with 0xC000006D Status Code

Before you proceed, open PowerShell as admin. To do this, search for the app and click Run as Administrator

  1. To initiate this process of generating your report, execute the Get-WinEvent command to retrieve the most recent event with ID 4625. This command stores the resulting output in the variable, $events.
					$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 1

2. Next, convert the result in the $events variable to XML format and save the result in the $eventXml variable. Then, return the event log data, and run the second command. 

Before you proceed to step 3, the $eventData variable and run it. It displays the event log data in a hashtable. 

See the screenshot for details. 

We need this information to build our final report. 

					$eventXml = [xml]$events.ToXml()
					$eventData = $eventXml.Event.EventData.Data

The items in the hashtable are numbered, starting from zero (). In the screenshot below, I have numbered each item according to its position in the hashtable.

I left the first item in my numbering as it is zero. 

The final report we intend to create includes the following: 

“Account Name” – 5 in the hashtable.
“Account Domain” – 6
“Source IP Address” – 19
“Source Port” – 20
“Logon Type” – 10
“Status Code” – 7
“Sub Status Code” – 9

We then use the event log data saved in the $eventData variable to build a custom report. Here is the complete script with final report. 

					$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 1
$eventXml = [xml]$events.ToXml()
$eventData = $eventXml.Event.EventData.Data
$eventData = $eventXml.Event.EventData.Data
$status = $eventData[7].'#text' #the event status code
$subStatus = $eventData[9].'#text' #the event sub status code
$LogonType = [int]$eventData[10].'#text'  #the event logon type
# the final report
 $finalresult = [PSCustomObject]@{
            "Account Name" = $eventData[5].'#text'
            "Account Domain" = $eventData[6].'#text'
            "Workstation Name" = $eventData[13].'#text'
            "Source IP Address" = $eventData[19].'#text'
            "Source Port" = $eventData[20].'#text'
            "Logon Type" = $LogonType
            "Status Code" = $status
            "Sub Status Code" = $subStatus

To see the script in action, copy it into PowerShell ISE and run it. The result returns essential information about the event, including the all-important Status and Sub Status codes.

This script is great but its capabilities are limited. 

For example, it cannot return more than 1 event. Secondly, you still have to manually look up the descriptions of the status and sub status codes. 

To fix these limitations, we developed a custom PowerShell function

Custom PowerShell Function to Return Event Logs with 0xC000006D

User Logon with Misspelled or Bad Password

Custom PowerShell function, Get-Event4625Details allows you to specify how may event logs to return. Use its Number parameter – more on how to use it shortly. 

Here is the complete function. 

					function Get-Event4625Details {
    param (

    # Define the status code descriptions
    $StatusDescriptions = @{
        "0XC000005E" = "There are currently no logon servers available to service the logon request."
        "0xC0000064" = "User logon with misspelled or bad user account"
        "0xC000006A" = "User logon with misspelled or bad password"
        "0XC000006D" = "This is either due to a bad username or authentication information"
        "0xC000006F" = "User logon outside authorized hours"
        "0xC0000070" = "User logon from unauthorized workstation"
        "0xC0000072" = "User logon to account disabled by administrator"
        "0XC000015B" = "The user has not been granted the requested logon type (aka logon right) at this machine"
        "0XC0000192" = "An attempt was made to logon, but the Netlogon service was not started"
        "0xC0000193" = "User logon with expired account"
        "0XC0000413" = "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"

    # Define the LogonType descriptions
    $LogonTypeDescriptions = @{
        2 = "A user logged on to this computer."
        3 = "A user or computer logged on to this computer from the network."
        4 = "Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention."
        5 = "A service was started by the Service Control Manager."
        7 = "This workstation was unlocked."
        8 = "A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext)."
        9 = "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
        10 = "A user logged on to this computer remotely using Terminal Services or Remote Desktop."
        11 = "A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials."

    # Get Event ID 4625
    # $Number = 1
    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents $Number

    # $eventXml = [xml]$events.ToXml() 

    # Extract the required properties and add status descriptions
    $finalresult = $events | ForEach-Object {
        $eventXml = [xml]$_.ToXml()
        $eventData = $eventXml.Event.EventData.Data

        $status = $eventData[7].'#text'
        $subStatus = $eventData[9].'#text'
        $LogonType = [int]$eventData[10].'#text' # Cast to integer

            "Account Name" = $eventData[5].'#text'
            "Account Domain" = $eventData[6].'#text'
            "Workstation Name" = $eventData[13].'#text'
            "Source IP Address" = $eventData[19].'#text'
            "Source Port" = $eventData[20].'#text'
            "Logon Type" = $LogonType
            "Logon Type Description" = $LogonTypeDescriptions[$LogonType]
            "Status Code" = $status
            "Status Description" = $StatusDescriptions[$status]
            "Sub Status Code" = $subStatus
            "Sub Status Description" = $StatusDescriptions[$subStatus]

    # Output the final result 
    $finalresult | Format-Table "Account Name", "Account Domain", "Workstation Name", "Source IP Address", "Source Port", `
                   "Logon Type", "Logon Type Description", "Status Code", "Status Description", "Sub Status Code", "Sub Status Description" `
                   -Wrap -AutoSize


In addition to its ability to return more than one event, Get-Event4625Details also decodes the event status code 0xc000006a and its sub status code. That is not all; the function also provides human-readable descriptions for the event Logon Types. 

So, we run the command below in PowerShell ISE to show the function in action.

					Get-Event4625Details -Number 4

See the result of the command in the screenshot below. 

What is 0xc000006a - User Logon Misspelled or Bad Password Conclusion

In conclusion, understanding the 0xc000006a status code is crucial for IT professionals who want to troubleshoot user logon issues caused by misspelled or bad passwords. By decoding the status code and its sub-status code, IT professionals pinpoint the root cause of the issue and take appropriate action to resolve it.

Additionally, analysing event ID 4625 with 0xC000006D status code using Event Viewer and PowerShell commands provides valuable insights into the frequency and scope of the logon issue.

Finally, the custom PowerShell function significantly reduces the time and effort required to retrieve event logs related to 0xC000006D status code. This is a valuable tool for IT professionals tasked with troubleshooting user logon issues caused by misspelled or bad passwords.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *