Channel: Security.
Events: 4648, 4624 (LogonType 9).
Events: 4648, 4624 (LogonType 9).
Overview
| Channel | Conditions | Events |
|---|---|---|
Security |
Default configuration. Only logged whenever alternate credentials are used. |
Event 4648: A logon was attempted using explicit credentials. Legacy: Events 552: Logon attempt using explicit credentials. |
Security |
Default configuration. Only logged for runas /NetOnly (and similar) process execution. |
Event 4624: An account was successfully logged on, with LogonType 9 and the specified alternate credentials as Network Account Domain and Network Account Name. |
Security Event ID 4648
Windows Security Log Event ID
4648: A logon was attempted using explicit credentials.
Includes information about the target server:
Target Server Name (hostname or IP) and Additional Information of the
service requested.
The TargetServerName and TargetInfo fields can reference information about
the remote server and service (such as TargetInfo set to TERMSRV/<HOSTNAME>
for outgoing RDP).
View on GitHub