Account Lockout Examiner will not show name of the process if either there is no corresponding invalid logon event or the name of the process is not tracked by Windows Audit.
- Kerberos authentication that takes place before an actual account logon failed, so there is only invalid Kerberos logon event but no account logon event tracked (the most common)
- Windows XP invalid logon events (event 529) do not contain the name of the process that caused this event.
- Events logged due to entering invalid credentials in an RDP client window normally do not contain the name of the process that caused this event.
There are a lot of other situations when a name of a process can be not logged. The easiest way to make sure that Account Lockout Examiner reflects all information correctly is to manually check invalid logon event in Security log.