This is the process that initiates the connection or new process. This section may be blank or indicate the local computer when starting another process on local computer. User0001 logged on to as admin_super which is a local administrator.
This is a PC named (in the same domain IMPACT). In this case IMPACT\User0001 logged on as admin_super Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634. Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated.He tried to reach the D drive on an another user PC using the following command: \\ PC00000101\d$ where d$ is D drive of computer PC00000101 In this case user IMPACT\User0001 was logged on the computer PC00000101 in the same domain from his computer PC00000010 and using Admin’s username and password. This is the original account that started a process or connection using new credentials. READ ALSO - What are the different Windows Logon Type Unfortunately Subject does not identify the end user.
You will get this event where the process information is consent.exe.
With User Account Control enabled, an end user runs a program requiring admin authority. Logged on user: specifies the original user account.
This event is also logged when a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user. Or a user logs on to a web site using new specific credentials. For instance a user maps a drive to a server but specifies a different user’s credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut, selecting Run as…, and then filling in a different user’s credentials in the dialog box that appears. Description of windows event 4648Ī user connects to a server, PC or runs a program locally using alternate credentials. In our article today we are going to explain WindowsEvent 4648 – A logon was attempted using explicit credentials and the description of fields.