What does a failed Event ID 4723 mean?

A failed 4723 means a user attempted to change their own password but provided the wrong current (old) password. The status code 0xC000006A confirms this. From a security perspective, a failure means two things: the account exists (the attacker correctly identified a valid account name), and the attacker does not yet know the current password. Multiple failed 4723 events against admin or service accounts from unexpected workstations indicate a targeted account takeover attempt — the attacker is trying to change the password to lock out the legitimate owner.

What is the difference between Event ID 4723 and 4724?

Event 4723 is a self-service password change — any user can change their own password without admin rights, and the Subject Account Name matches the Target Account Name. Event 4724 is an admin-initiated password reset — the Subject Account (admin) resets the Target Account (another user) and requires elevated privileges. In practice, 4723 with a mismatch between Subject and Target, or 4723 on a service account, often indicates something unusual. 4724 is more directly suspicious when the resetting account itself shows other unusual activity.

Is Event ID 4723 on a service account always a problem?

Not always — scheduled password rotation tools can generate 4723. But unplanned or failed 4723 events on service accounts are worth investigating: a failure means someone tried and failed to change a service account's password (possibly to take control of it), and a success outside your normal rotation window means a service outage is likely imminent if the consuming service was not updated. Correlate with your change management records and check the Workstation Name field — rotation tooling will show a consistent source hostname.

Scan your Security and Sysmon logs·Detection guides

Event ID 4723Audit SuccessSecurity

Windows Event ID 4723 — Password Change Attempted

Logged when a user attempts to change their own password — a self-service action that does not require admin privileges. Fires on both success and failure. A failed 4723 on an admin or service account means an attacker knows the account exists but does not know the current password.

Why It Matters

Self-service password changes on privileged accounts (domain admins, service accounts, executive accounts) outside of a helpdesk workflow are a red flag — especially if the Subject and Target Account Names match but the account is not the logged-on user's own. Service account password changes without coordinating with dependent services cause immediate outages and are sometimes used by attackers to lock out the service. Failed 4723 events reveal the accounts an attacker is targeting before a successful compromise.

Key Fields

Target Account NameThe account whose password is being changed — self-service changes should have Subject == Target; a mismatch means the change was initiated by a different account (closer to a 4724 admin reset)

Subject Account NameThe account initiating the change — should match Target for self-service; a different Subject is anomalous for this event code

Workstation NameThe machine from which the change was attempted — a password change from an unusual workstation or server (not the user's own device) warrants review

Status0x0 = success; 0xC000006A = wrong old password (failure — attacker doesn't know the current password but targeted the account correctly)

Investigation Tips

1.Failed 4723 on a high-privilege account (domain admin, service account, executive) indicates an attacker has identified the account and is attempting to take ownership. Treat repeated failures as a precursor to a brute-force or credential-stuffing attempt against that specific account.
2.Service account password changes must be coordinated — the service consuming that account will fail immediately when the password rotates if the configuration is not updated simultaneously. Unexpected service account 4723 events (especially failures) should trigger a review of what services depend on that account.
3.Off-hours self-service password changes on admin accounts are suspicious. Legitimate users change their own passwords during business hours via IT portals. A change at 2am from an unusual workstation is worth reviewing regardless of success or failure.
4.Correlate successful 4723 events with subsequent 4624 logons from the account — if the password change is immediately followed by a logon from a new IP or different workstation, the change may have been performed by an attacker to take over the account.

Seeing Event ID 4723 in your own logs? Upload an .evtx file — EventPeeker flags password change attempted automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4724Admin password reset — requires elevated privileges, unlike 4723

4625Failed logon — may precede or follow 4723 failure on the same account

4794DSRM admin password set — domain controller specific password change

Frequently Asked Questions

What does a failed Event ID 4723 mean?: A failed 4723 means a user attempted to change their own password but provided the wrong current (old) password. The status code 0xC000006A confirms this. From a security perspective, a failure means two things: the account exists (the attacker correctly identified a valid account name), and the attacker does not yet know the current password. Multiple failed 4723 events against admin or service accounts from unexpected workstations indicate a targeted account takeover attempt — the attacker is trying to change the password to lock out the legitimate owner.
What is the difference between Event ID 4723 and 4724?: Event 4723 is a self-service password change — any user can change their own password without admin rights, and the Subject Account Name matches the Target Account Name. Event 4724 is an admin-initiated password reset — the Subject Account (admin) resets the Target Account (another user) and requires elevated privileges. In practice, 4723 with a mismatch between Subject and Target, or 4723 on a service account, often indicates something unusual. 4724 is more directly suspicious when the resetting account itself shows other unusual activity.
Is Event ID 4723 on a service account always a problem?: Not always — scheduled password rotation tools can generate 4723. But unplanned or failed 4723 events on service accounts are worth investigating: a failure means someone tried and failed to change a service account's password (possibly to take control of it), and a success outside your normal rotation window means a service outage is likely imminent if the consuming service was not updated. Correlate with your change management records and check the Workstation Name field — rotation tooling will show a consistent source hostname.

Go deeper: the full Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide →

See Event ID 4723 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects password change attempted patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →