| Event Id | 644 |
| Source | Security |
| Description | User Account Locked Out: Target Account Name: %1 Target Account ID: %3 Caller Machine Name: %2 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 |
| Event Information | Cause: An account is locked out when a specified number of unsuccessful logon attempts occur over a specified time period. Unsuccessful logon attempts might indicate that the user forgot the password. However, they can also indicate password guessing by an unauthorized user or a denial of service attack against your network. The account can be locked out for a set time period or until an administrator manually unlocks it. Resolution: Analyze, to determine whether this is an attack against your network. Look for Security 529 through Security 537 messages appearing immediately before the Security 644 message. If these messages appear frequently during a short time period (for example, several attempts per second), they can indicate that an attacker is rapidly trying numerous passwords until logon is successful or the account is locked out. If an attack pattern is shown up, identify the source of the attack from the information that is provided in the messages and follow your security policy to mitigate the threat. |
| Reference Links | "Event ID: 644" Message Even When No Accounts Have Been Locked Out Because of Bad Logon Attempts |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.