EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4725Audit SuccessSecurity

Windows Event ID 4725User Account Disabled

Logged when a user account is disabled, preventing future logons without deleting the account.

Why It Matters

While usually benign (offboarding), attackers sometimes disable accounts to prevent legitimate owners from logging back in during an attack. Admin accounts being disabled by a non-admin or unexpected account is critical.

Key Fields

Target Account NameThe account that was disabled
Subject Account NameWho disabled it

Investigation Tips

  1. 1.If an admin account was disabled by an unexpected account, treat it as an active incident.
  2. 2.Cross-reference with HR records — expected departures should match offboarding timelines.

Related Event IDs

4722Account enabled — the reverse of this action
4726Account deleted

See Event ID 4725 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user account disabled patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →