ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying authentication events on a SOC monitoring dashboard
Event ID 4648InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4648 – Microsoft-Windows-Security-Auditing: Logon Attempted Using Explicit Credentials

Event ID 4648 fires when a user or process attempts authentication using explicit credentials different from their current logon session, commonly seen with RunAs, network authentication, or service account operations.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4648Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4648 represents one of the most critical security audit events in Windows environments, providing detailed logging of explicit credential usage across the enterprise. When Windows processes authentication requests using credentials different from the current user session, this event captures comprehensive details including source and target accounts, authentication packages, and network information.

The event structure includes multiple fields that security analysts use for investigation: Subject fields identify the current user session, Target Server fields show where authentication was attempted, and Process Information reveals which application initiated the credential usage. This granular detail enables precise tracking of credential flows throughout the network.

In enterprise environments, 4648 events are essential for compliance frameworks like SOX, HIPAA, and PCI-DSS that require detailed audit trails of privileged access. The event fires on both successful and failed authentication attempts, though successful attempts are more commonly logged. Security Information and Event Management (SIEM) systems typically correlate 4648 events with other authentication events to build complete pictures of user activity and detect anomalous behavior patterns.

Modern threat detection relies heavily on 4648 analysis to identify lateral movement techniques used by advanced persistent threats. Attackers often use stolen credentials to access resources across the network, and these events provide the forensic evidence needed to trace their activities and assess the scope of compromise.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • RunAs command execution with alternate credentials
  • Network resource access using different credentials (net use, mapped drives)
  • Service account authentication and delegation
  • PowerShell Invoke-Command with -Credential parameter
  • Remote Desktop connections with explicit credentials
  • IIS application pool identity changes
  • Scheduled task execution with specified user accounts
  • Windows Management Instrumentation (WMI) remote operations
  • SQL Server integrated authentication with alternate credentials
  • Exchange server impersonation and delegation scenarios
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the event details to understand the credential usage context.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4648 using Filter Current Log
  3. Double-click the event to view detailed information
  4. Focus on these key fields:
    • Subject: Current user session details
    • Account Whose Credentials Were Used: Target account information
    • Target Server: Destination system or service
    • Process Information: Application that initiated the request
  5. Note the Logon Type field to understand the authentication method
  6. Check Network Information for source IP addresses in network scenarios
Pro tip: Logon Type 3 indicates network authentication, while Type 9 suggests NewCredentials logon used by RunAs.
02

PowerShell Analysis and Filtering

Use PowerShell to efficiently query and analyze 4648 events across multiple systems.

  1. Query recent 4648 events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  2. Filter by specific user account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648} | Where-Object {$_.Message -like "*username*"} | Format-Table TimeCreated, Message -Wrap
  3. Extract structured data from events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $SubjectUserName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $TargetUserName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    Write-Output "$($Event.TimeCreated): $SubjectUserName used credentials for $TargetUserName"
}
  4. Export events for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648} | Export-Csv -Path "C:\Temp\Event4648_Analysis.csv" -NoTypeInformation
03

Network-Wide Investigation Using WinRM

Investigate 4648 events across multiple systems to track credential usage patterns.

  1. Create a list of target computers:
    $Computers = @('Server01', 'Server02', 'Workstation01')
  2. Query events from multiple systems:
    $Results = Invoke-Command -ComputerName $Computers -ScriptBlock {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
} | Select-Object PSComputerName, TimeCreated, Id, Message
  3. Analyze credential usage patterns:
    $Results | Group-Object PSComputerName | Select-Object Name, Count | Sort-Object Count -Descending
  4. Search for specific credential usage:
    $SuspiciousAccount = "admin_account"
$Results | Where-Object {$_.Message -like "*$SuspiciousAccount*"} | Format-Table PSComputerName, TimeCreated, Message -Wrap
  5. Generate summary report:
    $Results | Export-Csv -Path "C:\Reports\Network_4648_Analysis_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Warning: Ensure WinRM is properly configured and you have appropriate permissions before running network-wide queries.
04

Advanced Correlation with Other Security Events

Correlate 4648 events with related authentication events for comprehensive analysis.

  1. Query correlated authentication events:
    $StartTime = (Get-Date).AddHours(-1)
$EndTime = Get-Date
$AuthEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624,4625,4648,4672
    StartTime=$StartTime
    EndTime=$EndTime
} | Sort-Object TimeCreated
  2. Create correlation analysis:
    $CorrelatedEvents = @()
foreach ($Event in $AuthEvents) {
    $XML = [xml]$Event.ToXml()
    $EventData = @{
        TimeCreated = $Event.TimeCreated
        EventId = $Event.Id
        Computer = $Event.MachineName
    }
    
    switch ($Event.Id) {
        4648 {
            $EventData.SubjectUser = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
            $EventData.TargetUser = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
            $EventData.EventType = "Explicit Credentials"
        }
        4624 {
            $EventData.TargetUser = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
            $EventData.LogonType = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'LogonType'}).'#text'
            $EventData.EventType = "Successful Logon"
        }
    }
    $CorrelatedEvents += New-Object PSObject -Property $EventData
}
  3. Analyze privilege escalation patterns:
    $PrivilegeEvents = $CorrelatedEvents | Where-Object {$_.EventId -eq 4672 -or ($_.EventId -eq 4648 -and $_.TargetUser -like "*admin*")}
  4. Generate timeline analysis:
    $CorrelatedEvents | Sort-Object TimeCreated | Format-Table TimeCreated, EventId, EventType, SubjectUser, TargetUser -AutoSize
05

Registry and Group Policy Investigation

Examine system configuration that affects 4648 event generation and audit policies.

  1. Check audit policy settings:
    auditpol /get /subcategory:"Logon"
  2. Verify security audit registry settings:
    Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" | Select-Object MaxSize, Retention
  3. Check Group Policy audit settings:
    gpresult /h C:\Temp\GPResult.html
# Review Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
  4. Examine LSA audit settings:
    Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" | Select-Object auditbaseobjects, fullprivilegeauditing
  5. Review event log configuration:
    wevtutil gl Security
  6. Configure enhanced auditing if needed:
    # Enable detailed logon auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
# Enable credential validation auditing
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
Pro tip: Use auditpol /backup /file:C:\audit_backup.csv before making changes to preserve current settings.

Overview

Event ID 4648 is a security audit event that fires whenever a user or process attempts to authenticate using explicit credentials that differ from their current logon session. This event is fundamental to Windows security monitoring and appears in the Security log when operations like RunAs commands, network resource access with alternate credentials, or service account authentication occur.

Unlike standard authentication events, 4648 specifically tracks credential delegation scenarios where users provide different credentials than their current session. This makes it invaluable for detecting lateral movement, privilege escalation attempts, and legitimate administrative activities. The event captures both the source account (current session) and target account (explicit credentials), providing complete audit trails for credential usage.

Windows generates this event on both domain controllers and member systems, making it a cornerstone of enterprise security monitoring. Security teams rely on 4648 events to track administrative activities, detect unauthorized credential usage, and investigate potential security incidents involving credential theft or misuse.

Frequently Asked Questions

What does Event ID 4648 mean and when does it occur?+
Event ID 4648 indicates that a logon was attempted using explicit credentials different from the current user session. This occurs when users run commands with RunAs, access network resources with alternate credentials, or when services authenticate using specified accounts. The event captures both the current user context and the credentials being used, making it essential for tracking credential delegation and potential privilege escalation activities.
How can I distinguish between legitimate and suspicious 4648 events?+
Legitimate 4648 events typically show consistent patterns: administrative users using RunAs for elevated tasks, service accounts authenticating during scheduled operations, or users accessing network resources with proper credentials. Suspicious indicators include: unusual timing (off-hours activity), unfamiliar source systems, service accounts used interactively, or high-privilege accounts accessed from unexpected locations. Correlate with 4624/4625 events and examine the process information field to understand the context.
Why am I seeing multiple 4648 events for the same operation?+
Multiple 4648 events for a single operation are normal and occur because Windows logs each authentication step separately. For example, accessing a network share might generate events for: initial credential validation, Kerberos ticket requests, and resource access. Each service or authentication provider may log separately. Additionally, some applications perform multiple authentication attempts or use different authentication methods, each generating its own 4648 event.
Can Event ID 4648 help detect lateral movement attacks?+
Yes, 4648 events are crucial for detecting lateral movement. Attackers using stolen credentials to access multiple systems will generate 4648 events showing the compromised account accessing various resources. Look for patterns like: the same account accessing multiple systems in short timeframes, service accounts used for interactive logons, or administrative accounts accessing systems they don't normally manage. Correlate with network traffic and other authentication events to build a complete attack timeline.
How should I configure audit policies to optimize 4648 event collection?+
Enable 'Audit Logon' and 'Audit Account Logon' policies to capture 4648 events effectively. Use Group Policy to configure 'Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon > Audit Credential Validation' and 'Logon/Logoff > Audit Logon' for both success and failure. Consider enabling 'Audit Special Logon' to track administrative credential usage. Balance security monitoring needs with log volume - in high-activity environments, you may need larger Security log sizes or faster log rotation to prevent event loss.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including detailed explanations of Event ID 4648 and related authentication events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/auditing-security-events
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies to optimize security event collection and monitoring.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4648#security-auditing#authentication-events

Related Windows Events

Windows domain controller monitoring dashboard showing Active Directory authentication events and security logs
Event 4776
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4776 – Microsoft-Windows-Security-Auditing: Computer Account Authentication

Event ID 4776 logs computer account authentication attempts in Active Directory environments, tracking domain controller validation of computer credentials during logon processes.

March 189 min
Windows Security Event Viewer displaying Event ID 4625 authentication failure logs on a security monitoring dashboard
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting unauthorized access attempts, brute force attacks, and troubleshooting authentication issues across domain and local accounts.

March 1812 min
Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed
Event 4771
Microsoft-Windows-Security-Auditing
Windows EventWarning

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.

March 1812 min
Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...