I've been troubleshooting a server that is having thousands of failed login events (4625) but I can't tell anything based on the information I am getting. Most of them happen at minute 9 each hour, like 12:09, 1:09, 2:09, and 30 minutes later, 12:39, 1:39, 2:39. It's almost like there is an exact timing, but then there will also be a few random ones at 12:46 or something and it doesn't seem to follow an exact pattern.
An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVER$ Account Domain: DORRAY Logon ID: 0x3E7 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x2b4 Caller Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: SERVER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
In the application event logs the Software Protection service will start (event 900, 1066), do a license check (event 1003) then there is a 902 event, and it always reschedules another check for 30/60 minutes later (event 16384) and the service will stop (event 903).
I can provide more details about each event but I have never seen something like this and have no idea what could be causing this, I mainly want to get rid of the failed login events, or figure out what is causing them.