Event ID: 4776

The computer attempted to validate the credentials for an account 

The computer attempted to validate the credentials for an account.

Authentication Package: %1
Logon Account:          %2
Source Workstation:     %3
Error Code:             %4


This event generates every time that a credential validation occurs using NTLM authentication.

This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.

It shows successful and unsuccessful credential validation attempts.

It shows only the computer name (Source Workstation) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not presented in this event.

If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to “0x0”.

The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.

For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged on” because it contains more details and is more informative.

This event also generates when a workstation unlock event occurs.

This event does not generate when a domain account logs on locally to a domain controller.

Auditing:     Conditional

It's recommended to always audit events in this sub category on member servers and workstations.


Volume:     Low Medium High

On member servers and workstation the volume of events is normally low, on domain controllers usually higher.


CJIS 5.4.1.1.1
ISO 27001:2013 A.12.4.1
NIST 800-171: 3.1.1
CMMC v2 L1: AC.L1-3.1.1
NIST SP 800-53: AC-2
PCI 3.2.1: 10.2.4
HIPAA: 164.308 (a)(5)(ii)(C)


Microsoft Documentation

Event ID - 4776



Name Field Insertion String OS Example
Authentication Package PackageName %1 Any MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account TargetUserName %2 Any UserName
Source Workstation Workstation %3 Any ComputerName
Error Code Status %4 Any View Codes

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Credential Validation"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Failure Audit Success CJIS ISO 27001:2013 PCI-DSS HIPAA NIST 800-171 NIST SP 800-53 CMMC L1
Audit Category:
Account Logon

Audit Subcategory:
Credential Validation
Legacy Events:
680 681

LEFT/RIGHT arrow keys for navigation

Back to List