4648 event id. If you're reviewing Windows audit logs, is there a reason to look at both event ID 4624 (Successful logins) and 4648 (the user entered explicit credentials)? What's the difference between the two, assuming you're not concerned about system logins? Jul 24, 2020 · In the Event ID 4648, The subject's Account Name is the "Standard user". 4625: An account failed to log on On this page Description of this event Field level details Examples This is a useful event because it documents each and every failed attempt to logon to the local computer regardless of logon type, location of the user or type of account. Event Description: This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials. See examples of indicators, mitre tactics, and cheatsheets for hunting with EventID 4648. Windows Security Log Event ID 4624 4624: An account was successfully logged on On this page Description of this event Field level details Examples This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account. To demonstrate this, I have created a local user " test " with administrators group privileges. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command. When a user attempts to use credentials that are of other than his, or if there is a user account control bypass to open a process with administrator permissions, this event is logged. Sep 28, 2021 · Learn how to use EventID 4648 to detect and investigate possible threats such as lateral movement, RDP connections, and RPC calls. The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads N/A. Remove outdated credentials from Credential Manager and mapped drives on the suspected machines. Rather look at the Account Information: fields, which identify the user who logged on and the user account's DNS suffix. Free Security Log Resources by Randy Free Security Log Quick Reference Chart Windows Event Collection: Supercharger Free Under the category Logon/Logoff events, what does Event ID 4648 (A logon was attempted using explicit credentials) mean? Mar 18, 2024 · Event ID 4648 isn’t an error, per se, as it’s the intended result of someone trying to enter a network server using different or new credentials. What is Event ID 4648? This event is logged when a logon attempt is made using explicit credentials meaning the user provides credentials other than the one currently logged on. Jun 19, 2013 · What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008? Feb 10, 2024 · Event ID 4648: This event is logged when a logon attempt is made with explicit credentials, such as when using the RunAs command. It’s supposed to block you from entering; that’s its purpose. Event ID 4648 A logon was attempted using explicit credentials. Subcategory: Audit Logon. It can indicate that the account credentials are being used actively, even if not for interactive logons. Learn what Event ID 4648 means and how to interpret it in the Windows security log. Event ID 4634: This event signals a logoff. This Event ID is a problem because it’s a sign that someone has or is trying to hack into your computer. Apr 10, 2018 · A classic example of Event ID 4648 is when the user maps a shared drive of the remote server by specifying somebody else's credentials. See examples of when this event is triggered and what information it provides. Event ID 4672 When a set of sensitive Finally, this subcategory includes event ID 4648 (A logon was attempted using explicit credentials), which will appear in a variety of situations, such as when RunAs is invoked or when a scheduled task runs. But under the credentials used section, the account name is of the "Administrator" and the Target Server is "LocalHost"and Account Domain is same as well. Mar 29, 2021 · As per Microsoft docs, 4648 stands for "This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. 4648 (S): A logon was attempted using explicit credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when… Windows Event ID 4648 - A logon was attempted using explicit credentials. Aug 19, 2025 · Event ID 4648, “A logon was attempted using explicit credentials,” occurs when a process attempts to authenticate to an account by explicitly providing credentials (username/password) that differ Jul 19, 2025 · Find the source of bad logons in Event Viewer using Event ID 4625/4648 on the domain controller. A logon was attempted using explicit credentials is generated when a process logs on an account by specifying its credentials. Learn what this event means and how to interpret its parameters. The User ID field provides the SID of the account. . Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Sep 2, 2020 · This event generates when a user logon is of remote type and the logoff was with some standard method. eza oeq wic eck isn yfd mus glp wsk clv hig rto vyk pos qme