Windows Event 4648 is a useful event for tracking several different situations. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. The Windows Event can be found on the Windows Event Viewer Logs on: Start – Control Panel – Administrative Tools – Event Viewer:
Windows Event 4648 can be found on event viewer security section. You can filter the current log by event id 4648 as the following picture:
In our article today we are going to explain WindowsEvent 4648 – A logon was attempted using explicit credentials and the description of fields.
Description of windows event 4648
A user connects to a server, PC or runs a program locally using alternate credentials. For instance a user maps a drive to a server but specifies a different user’s credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut, selecting Run as…, and then filling in a different user’s credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.
This event is also logged when a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user. Logged on user: specifies the original user account.
With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe. Unfortunately Subject does not identify the end user.
In situations where it doesn’t seem necessary unfortunately this event is also logged. For instance logging on interactively to a member server (Win2008 RC1) with a domain account produces an instance of this event in addition to 2 instances of 4624.
Examples of event id 4648
Description Fields in windows event 4648
This is the original account that started a process or connection using new credentials. In this case user IMPACT\User0001 was logged on the computer PC00000101 in the same domain from his computer PC00000010 and using Admin’s username and password. He tried to reach the D drive on an another user PC using the following command: \\ PC00000101\d$ where d$ is D drive of computer PC00000101
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated. Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634.
Account Whose Credentials Were Used:
These are the new credentials. In this case IMPACT\User0001 logged on as admin_super
This is a PC named PC00000101.impact.com (in the same domain IMPACT). User0001 logged on to as admin_super which is a local administrator. This section may be blank or indicate the local computer when starting another process on local computer.
This is the process that initiates the connection or new process. The Process Name identifies the program executable that processed the logon. Event id 4611 identifies one of the trusted logon processes. Process ID is the process ID specified when the executable started as logged in 4688.
The network address in the case of Remote Desktop logons is filled with the IP address of the client workstation.In many cases in blank. Source port, while filled in, is not useful since most protocol source ports are random.