Windows event id 4648

4648: A logon was attempted using explicit credentials

On this page

• Description of this event
• Field level details
• Examples

This is a useful event for tracking several different situations:

• A user connects to a server or runs a program locally using alternate credentials.  For instance a user maps a drive to a server but specifies a different user’s credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut, selecting Run as…, and then filling in a different user’s credentials in the dialog box that appears.  Or a user logs on to a web site using new specific credentials.  That is the case above in the example — Administrator was logged on to the local computer and then accessed a SharePoint server sp01.icemail.com as rsmith@mtg.com.
• This event is also logged when a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user. Logged on user: specifies the original user account.
• With User Account Control enabled, an end user runs a program requiring admin authority.  You will get this event where the process information is consent.exe.  Unfortunately Subject does not identify the end user.

Unfortunately this event is also logged in situations where it doesn’t seem necessary.  For instance logging on interactively to a member server (Win2008 RC1) with a domain account produces an instance of this event in addition to 2 instances of 4624.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in
4648

Subject:

This is the original account that started a process or connection using new credentials.  In this case Administrator was logged on to the local computer.

• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated.  Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634. 

Account Whose Credentials Were Used:

These are the new credentials.  In this case Administrator then logged on as rsmith@mtg.com.

Target Server:

This is the server (in this case a Sharepoint server) Administrator logged on to as rsmith@mtg.com.  This section may be blank or indicate the local computer when starting another process on local computer. 

Process Information:

This is the process that initiates the connection or new process.  In this case it makes sense that it’s Internet Explorer since we’re accessing a Sharepoint site. The Process Name identifies the program executable that processed the logon.  This is one of the trusted logon processes identified by 4611. Process ID is the process ID specified when the executable started as logged in 4688. 

Network Information:

This is blank in many cases but in the case of Remote Desktop logons network address is filled in with the IP address of the client workstation.  Source port, while filled in, is not useful since most protocol source ports are random.

Readers help support Windows Report. We may get a commission if you buy through our links.

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Event ID 4648 isn’t an error, per se, as it’s the intended result of someone trying to enter a network server using different or new credentials. It’s supposed to block you from entering; that’s its purpose.

This Event ID is a problem because it’s a sign that someone has or is trying to hack into your computer. To help out, we’ll show you what you can do to address this problem and beef up security.

How can I protect my computer when Event ID 4648 appears?

1. Check event logs

1. Open the Windows Search bar and bring up Event Viewer.
   

   Картинка с сайта: windowsreport.com

2. Expand Windows Logs in the left-hand menu and select Security.
   

   Картинка с сайта: windowsreport.com

3. Scroll through the various logs and locate one with Event ID 4648. This guide doesn’t have that but let’s say it does as an example.
4. Once you locate a log with Event ID 4648, make note of the Account Name that attempted to log in
   

   Картинка с сайта: windowsreport.com

   .

This solution and the next one go hand in hand. The purpose of the first is to do a bit of threat hunting, or in other words, figure out who is trying to gain access.

2. Remove account credentials

1. Bring up the Control Panel and ensure the View By entry in the upper right corner is set to Large Icons.
2. Select User Accounts.
   

   Картинка с сайта: windowsreport.com

3. Click Manage your credential on the left-hand side.
   

   Картинка с сайта: windowsreport.com

4. Select Windows Credentials in the new window.
5. Expand the user account you don’t recognize or no longer want. In the dropdown, click Remove to get rid of that user.

This solution is meant to remove users from a network that you no longer want them to have access to. External people or bad actors require another approach.

3. Change your Wi-Fi password

1. Open up Control Panel and change the View By entry to Category.
2. Select Network and Internet, then Network and Sharing Center.
   

   Картинка с сайта: windowsreport.com

3. Click Change adapter settings.
   

   Картинка с сайта: windowsreport.com

4. Right-click your Wi-Fi connect, and in the context menu, select Status.
   

   Картинка с сайта: windowsreport.com

5. Click the Wireless Properties button then go to the Security tab in the following window.
6. Enter a new password in the Network security key entry. Click OK to finish.
   

   Картинка с сайта: windowsreport.com

4. Disable Remote Access

1. Open the Settings app, stay on the System tab, and scroll down to Remote Desktop.
   

   Картинка с сайта: windowsreport.com

2. In this new section, toggle the switch next to Remote Desktop in order to disable the feature.
3. To disable the feature, first, open the Registry Editor. Select Yes if the User Account Control asks if you want to make any changes.
4. Enter the following in the Registry Editor and press Enter: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
5. Double-click fDenyTSConnections to open it.
   

   Картинка с сайта: windowsreport.com

6. Set the value data to 1, then click OK to finish up.
   

   Картинка с сайта: windowsreport.com

You can also:

• Turn on your firewall. That is the easiest thing that you can do. Can’t turn on Windows Firewall? Check out these fixes and get things back to normal.
• Download the latest Windows update so your computer has the latest protections available. Microsoft consistently cracks them out.
• Limit the number of people who can access your network. The more people on the network, the higher the risk a bad actor will gain access.
• Move the Wi-Fi router to a different part of the house. If it is by a wall, someone from outside will have an easier time gaining access to your house network.

How can someone gain access to my Windows 11 computer?

A lot of the time, whenever people wonder how a hacker got into their machine, they usually think that person cracked open the computer’s tough defenses.

That’s certainly possible, but the more likely reason is that your computer’s or network’s own security is rather lacking.

• Your router’s firmware is out of date: Make sure to keep all of your systems up to date. Updating a router’s firmware requires you to connect it directly to your computer.
• Your router’s firewall is turned off: This is by far the worst gap you can have in your network’s security. Turn the firewall quickly, but be aware you have trouble accessing the router’s page.
• The computer is out of date: Every month, Microsoft has a Patch Tuesday where it rolls out a variety of fixes. We recommend staying up to date with those patches to protect your computer.
• You have too many people connected to the network: Not everyone will stay mindful of their device’s security. Perhaps you should clear out some users to keep things secure.

Event ID 4648 is just one of many different warning notices on Windows 11. There are two in particular that we want to shout out specifically. The first one is Event ID 157: Disk has been surprise removed.

This warning occurs when interrupts your computer’s communication with a disk and can render a virtual drive unusable. Fixing this may require you to tweak the computer’s registry a little.

The other one is Event ID 7000 which indicates some software services cannot start. We recommend either adjusting with the Group Policy Editor or restarting the offending service.

For fixes and logon errors, you can check our Navigating the Logon Balancing Error 88 in SAP GUI: Our step-by-step solutions guide.

Feel free to comment below if you have questions about other Event IDs. You can also leave comments about guides that you’d like to see or information on other errors.

Cesar has been writing for and about technology going on for 6 years when he first started writing tech articles for his university paper. Since then, his passion for technology blossomed into a prosperous writing career. He first started writing about tech in the entertainment world and would later move on to write about smart life tech and social media. He was recently a Technical Writer for tech company Extron where he wrote user guides for audio and video equipment.

He has since moved on to being a freelance writer looking to have a career in copywriting and hopes to share his love and knowledge of technology with the world. Recently, Cesar has written for the cryptocurrency news site, BTCPro and helping people understand tech.

Картинка с сайта: www.socinvestigation.com

This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks.

It is also a routine event that periodically occurs during normal operating system activity, what’s abnormal? Hunting specific processes at the timeline of the event ID 4648 provides more insights on adversaries. Please find the below cheatsheet.

Hunting with Event ID 4648:

• Event ID 4648 contains with the process name “C:\windows\System32\mstsc.exe” which is the indicator for user machine with outbound RDP connections detected. This can be mapped to T1076 of mitre and the active traces of lateral movement.
• Event message contains “*/TERMSRV/*” with the Event ID 4648 , Which is known to a RDP outbound connection from end user machine.Indicator for possible lateral movement detection.
• Process name “C:\Windows\System32\sc.exe” with the Event ID 4648 shows remote machine services are queried and executed.Indicator for Possible lateral movement detection. This can be mapped to mitre T1021/T1035.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

• Threat actor persistence with new service account with alternate credentials were Event ID 4648 at the time of incident.This includes services running with specfic account other than local system or Network Service , I.E “Account Name” equals sshd_server & process_name equals services.exe , This can be mapped to mitre T1050.
• Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM) , Mostly it is called as RPC Calls , Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details. A procedure call is also sometimes known as a function call or a subroutine call.To detect such behaviours , Check for event messages contains Event ID 4648 contains with the event message contains “RPCSS/“. This can be mapped to mitre T1021/T1175.

The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, object exporter resolutions, and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly – Microsoft Says

Картинка с сайта: www.socinvestigation.com

• Detecting possible inbound RDP Connections , Event ID 4648 detected with Process name “Winlogon.exe” and Network address is not empty nor equal to loopback address and this is often associated with a remote interactive logon activity ( Logon Type equals 10 or 7 ) . This can be mapped to mitre T1076.

Also Read: FireEye’s Open-Source Tool – CAPA to Identify Malware Capabilities

• Possible windows admin shares access , Event ID 4648 with cmd commands I.E Net use x:\target/user:example\admin01 ( Outbound connections ) , and logon process ID “0x4” or 4 and target server name contains *Targetserver*PC01*processinfromation* , Where in this example PC01 start sting of endpoint naming conversions. This can be mapped to mitre T1077.

Картинка с сайта: www.socinvestigation.com

Also Read: Threat Hunting using DNS logs – Soc Incident Response Procedure

• Event ID 4648 contains with the process name “wmic.exe” , Indicator of lateral movement with Windows Management Instrumentation. This can be mapped to mitre T1047.

Happy Hunting