Folder Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Account Lockout
Account Lockout
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Logon/Logoff
Source Microsoft-Windows-Security-Auditing
TaskCategory Account Lockout
Field Matching
FieldDescriptionSample Value
DateTime Date/Time of event origination in GMT format. 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Security
Type Warning, Information, Error, Success, Failure, etc. Success
User Domain\Account name of user/service/computer initiating event. RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. DC1
EventID Numerical ID of event. Unique within one Event Source. 576
Description The entire unparsed event message. Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) Security
Task Category A name for a subclass of events within the same Event Source.
Level Warning, Information, Error, etc.
Keywords Audit Success, Audit Failure, Classic, Connection etc.
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Account Logon
Object Name
Object Type
Class Name
Security ID
Account Name
Account Domain
Subject: Security ID S-1-5-21-1135140816-2109348461-2107143693-500
Subject: Account Name ALebovsky
Subject: Account Domain LOGISTICS
Subject: Logon ID 0x2a88a
Account For Which Logon Failed: Security ID S-1-0-0
Account For Which Logon Failed: Account Name Paul
Account For Which Logon Failed: Account Domain LOGISTICS
Failure Information: Failure Reason Account locked out.
Failure Information: Status 0xc0000234
Failure Information: Sub Status 0x0
Process Information: Caller Process ID 0x3f8
Process Information: Caller Process Name C:\Windows\System32\svchost.exe
Network Information: Workstation Name DCC1
Network Information: Source Network Address ::1
Network Information: Source Port 0
Detailed Authentication Information: Logon Process seclogo
Detailed Authentication Information: Authentication Package Negotiate
Detailed Authentication Information: Transited Services -
Detailed Authentication Information: Package Name (NTLM only) -
Detailed Authentication Information: Key Length 0