Event ID 4648
A logon was attempted using explicit credentials
A logon was attempted using explicit credentials.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Logon GUID: %5
Account Whose Credentials Were Used:
Account Name: %6
Account Domain: %7
Logon GUID: %8
Target Server:
Target Server Name: %9
Additional Information: %10
Process Information:
Process ID: %11
Process Name: %12
Network Information:
Network Address: %13
Port: %14
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
It is also a routine event which periodically occurs during normal operating system activity.
Auditing:
Always
It is recommended to enable auditing for all associated subcategories on domain controllers, servers and workstations.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Security ID |
SubjectUserSid |
%1 |
Any |
DOMAIN\User1
|
|
|
Account Name |
SubjectUserName |
%2 |
Any |
User1
|
|
|
Account Domain |
SubjectDomainName |
%3 |
Any |
DOMAIN
|
|
|
Logon ID |
SubjectLogonId |
%4 |
Any |
0x31844
|
|
|
Logon GUID |
LogonGuid |
%5 |
Any |
{00000000-0000-0000-0000-000000000000}
|
|
|
Account Name |
TargetUserName |
%6 |
Any |
User2
|
|
|
Account Domain |
TargetDomainName |
%7 |
Any |
DOMAIN
|
|
|
Logon GUID |
TargetLogonGuid |
%8 |
Any |
{0887F1E4-39EA-D53C-804F-31D568A06274}
|
|
|
Target Server Name |
TargetServerName |
%9 |
Any |
localhost
|
|
|
Additional Information |
TargetInfo |
%10 |
Any |
localhost
|
|
|
Process ID |
ProcessId |
%11 |
Any |
0x368
|
|
|
Process Name |
ProcessName |
%12 |
Any |
C:\Windows\System32\svchost.exe
|
|
|
Network Address |
IpAddress |
%13 |
Any |
127.0.0.1
|
|
|
Port |
IpPort |
%14 |
Any |
0
|
SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
The name of the account that requested the new logon session with explicit credentials.
Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”.
Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
A GUID that can help you correlate this event with another event that can contain the same Logon GUID, event ID 4769 (A Kerberos service ticket was requested) on a domain controller.
The name of the account whose credentials were used.
Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”.
A GUID that can help you correlate this event with another event that can contain the same Logon GUID, event ID 4769 (A Kerberos service ticket was requested) on a domain controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same Logon GUID, event ID 4624 (An account was successfully logged on) and event ID 4964 (Special groups have been assigned to a new logon).
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
The name of the server on which the new process was run. Has “localhost” value if the process was run locally.
Hexadecimal process ID of the process which was run using explicit credentials. Process ID (PID) is a number used by the operating system to uniquely identify an active process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, event ID 4688 (A new process has been created).
Full path and the name of the executable for the process.
IP address of machine from which logon attempt was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source port which was used for logon attempt from remote machine.
Port 0 is for interactive logons.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:Logon
LEFT/RIGHT arrow keys for navigation
Back to List