Get IT Solutions

How to do IT
Menu
  • Home
  • SCCM 2012
    • Deploy Packages
    • Troubleshooting errors SCCM 2012
  • Windows
    • Applications Silent Install
    • Windows Tools
    • Windows Error
    • Script
    • Exchange Server
    • Troubleshooting Office
    • Applications Errors
  • Database
    • SQL Server
    • MySQL
    • Oracle
  • Cybersecurity
  • Other
  • Reviews

Windows Event 4648 – A logon was attempted using explicit credentials

Windows Event 4648 is a useful event for tracking several different situations.  This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. The Windows Event can be found on the Windows Event Viewer Logs on: Start – Control Panel – Administrative Tools – Event Viewer:

Windows Event Viewer Logs

Windows Event Viewer Logs

Windows Event 4648 can be found on event viewer security section. You can filter the current log by event id 4648 as the following picture:

Event viewer security

Event viewer security

In our article today we are going to explain WindowsEvent 4648 – A logon was attempted using explicit credentials and the description of fields.

Description of windows event 4648

A user connects to a server, PC or runs a program locally using alternate credentials.  For instance a user maps a drive to a server but specifies a different user’s credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut, selecting Run as…, and then filling in a different user’s credentials in the dialog box that appears.  Or a user logs on to a web site using new specific credentials.

This event is also logged when a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user. Logged on user: specifies the original user account.

With User Account Control enabled, an end user runs a program requiring admin authority.  You will get this event where the process information is consent.exe.  Unfortunately Subject does not identify the end user.

In situations where it doesn’t seem necessary unfortunately this event is also logged.  For instance logging on interactively to a member server (Win2008 RC1) with a domain account produces an instance of this event in addition to 2 instances of 4624.

Examples of event id 4648

Windows Event 4648

Windows Event 4648

Description Fields in windows event 4648

Subject:

READ ALSO -   Enable bitlocker Windows 7 and Windows 10

This is the original account that started a process or connection using new credentials.  In this case user IMPACT\User0001 was logged on the computer PC00000101 in the same domain from his computer PC00000010 and using Admin’s username and password. He tried to reach the D drive on an another user PC using the following command: \\ PC00000101\d$ where d$ is D drive of computer PC00000101

  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated.  Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634.

Account Whose Credentials Were Used:

These are the new credentials.  In this case IMPACT\User0001 logged on as admin_super

Target PC:

This is a PC named PC00000101.impact.com (in the same domain IMPACT). User0001 logged on to as admin_super which is a local administrator.  This section may be blank or indicate the local computer when starting another process on local computer.

Process Information:

This is the process that initiates the connection or new process. The Process Name identifies the program executable that processed the logon.  Event id 4611 identifies one of the trusted logon processes. Process ID is the process ID specified when the executable started as logged in 4688.

Network Information:

The network address in the case of Remote Desktop logons is filled with the IP address of the client workstation.In many cases in blank.  Source port, while filled in, is not useful since most protocol source ports are random.

Share
Tweet
Google+
Pinterest
Linkedin
Stumble
Email
Prev Article
Next Article

Related Articles

SSL Certificate Request for Microsoft IIS
The following article will guide you how to Create SSL …

How to Create SSL Certificate Request for Microsoft IIS

Windows Logon Types
Windows Logon Type are logged in the Logon Type field …

What are the different Windows Logon Type

Best Computers & Laptops

Best Computer for Cyber Security – Laptop and Desktop
Best Computer for Cyber Security
Hey, are you seeking the best computer for cyber security? Well, we must say you have come to the right place to find your answer and guidance. There are a plethora of products out there for you to pick from ...
Read More
Best Computer for Microsoft Office & Excel – Laptop and Desktop
Best Computer for Microsoft Office & Excel
Are you finding the Best Computer for Microsoft Office and Excel? In modern days, the best laptop or desktop set is the one which is both portable, has good looks and offers the smoothest performance. Microsoft Office is a package ...
Read More
Best Computer for Hacking – Laptop and Desktop Selection
Best computer for Hacking
When it comes to hacking, either laptop or desktop, choosing the best computer for hacking would be an exhilarating job. There are many specifications to be considered for hacking ...
Read More

SQL Server Tips

FIX sqlstate 42000 – mysql error 1064 – you have an error in your sql syntax
Sqlstate 42000 Is a general code that come together with other number. Most often comes with the code 1064 and ...
Read More
The execute permission was denied on the object – SQL Server Error
The execute permission was denied on the object
The following article will handle “the execute permission was denied on the object” error appears on SQL Server. This error ...
Read More
How to Read Data from LDF file in SQL Server – A Complete Guide
Read LDF File
Hello Everyone, Today we are going to address the most popular query of SQL users, how to read data from ...
Read More

Search

We are on:

Get FREE SPACE for your PC

3 Method to Delete Temp Files in Windows 7/10 including vbs script

In this post we will explain how to delete temp files windows 7 using three different methods including vbs script ...
Read More

Fastest way to delete hiberfil sys from windows 10/8/7 and XP – CMD

In this article we will explain how to remove or delete hiberfil sys from Windows 10/8/7 and XP . If you does ...
Read More

Learn How to Silent Install Applications

Silent Install Adobe Flash Player
In this tutorial will explain how to silent install adobe flash player 25, Msi and Exe version. How to disable auto update and uninstall older ...
Read More
Java Silent Install and Uninstall Older Version – Deploy Package MSI
This tutorial will explain how to silent install Java MSI/EXE version and disable auto-update. The command line will also uninstall the ...
Read More
Silent Install Adobe Shockwave Player 12 and disable update
In this tutorial will explain how to silent install Adobe Shockwave Player 12 msi and disable auto update. The command will uninstall older ...
Read More
Silent Install Google Chrome MSI, Silent Uninstall and Disable Auto Update
This tutorial will explain how to silent install Google Chrome MSI and disable auto update. The command will uninstall older version of ...
Read More
Silent Install Adobe Reader 11 and DC – msi and exe – disable update
In this tutorial will explain how to silent install Adobe Reader version 11 and DC. We will user both version "msi" ...
Read More
Silent Install Mozilla Firefox msi and exe file – Including Silent Uninstallation
This tutorial will explain how to silent install Mozilla Firefox. We will use MSI and EXE files to perform a silent ...
Read More
Skype Silent Install Msi and disable updates
In this tutorial will explain how to silent install skype  and disable auto update. The command will uninstall older version of Skype and ...
Read More
Filezilla Silent Install msi and exe version
Filezilla silent install tutorial will explain how to perform a silent installation of application. We will explain methods, silent install ...
Read More
Silent install VLC Media Player
In this tutorial will explain how to silent install VLC Media Player. We will explain both methods for exe and ...
Read More
Notepad++ silent install exe and msi version – Command Line
Notepad++ silent install is the new article from a series of silent installations. Notepad++ as free software has two main ...
Read More

Batch File Solutions

How to list files in cmd – Command Prompt – Windows 10
Whenever you want to search and make a list of all files on a specific folder, you used the windows ...
Read More
Batch rename multiple files in folder – CMD script – Bulk Method – Win 10
The following article will teach how to rename multiple files in a folder with the bulk method using Command Line ...
Read More
Batch script rename file using Command Line (CMD) & PowerShell – Windows 10
The following article will use the “rename” or “ren” command to rename the file using a command prompt. Also, we ...
Read More
Change extension of multiple files at once – CMD batch file
The following article will teach the methods to change the extension of multiple files at once using command prompt and ...
Read More
How to delete registry key with command line | PowerShell | Batch
The following article is the third of series about registry and working on it through command line (CMD) and PowerShell ...
Read More
How to add registry key & values with CMD | PowerShell | Batch
The registry is the place where most of the applications store the settings but not only. Used also from the ...
Read More
Unmap Network Drive CMD – (Batch file) – net use delete command
After we posted the methods to map network drive using cmd commands we come this time with the method to ...
Read More
Map Network Drive cmd (batch file) – net use user password
This article will focus on another way to map a network drive on your computer instead of from the explorer ...
Read More
How to Find Large Files on Windows 7 & 10 – CMD Forfiles Command
If the capacity of your hard drive is running low, it is time to clean off some files and to ...
Read More
CMD Script to check disk space on windows and multiple remote servers
The following article will provide you script to check disk space. The Script monitor space on windows and multiple remote ...
Read More

Get IT Solutions

How to do IT

About Us

Get IT Solutions is a personal blog, which is managed to guide people for various topic.

Second Menu

  • Donate
  • About Us
  • Contact Us
  • Privacy Policy

What Will You Find

Automation is our area of writing where are included scripts, batch and various tips to automate your daily job.
Copyright © 2025 Get IT Solutions