Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon->EventID 4648 - A logon was attempted using explicit credentials.
EventID 4648 - A logon was attempted using explicit credentials.
Indicates that a user who is already logged on successfully created another logon session with different user's credentials.

Find more information about this event on ultimatewindowssecurity.com.

    Corresponding events on other OS versions:

    Windows 2003


    Related events:

    In order to find out the name of the program that attempted the logon look earlier
    in the log for the following event with the same Process ID as in Caller Process ID field:
     Sample: 
    A logon was attempted using explicit credentials.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		IIZHU6$
	Account Domain:		ITSS
	Logon ID:		0x3e7
	Logon GUID:		{D4918F83-5B5E-BB75-AC3F-4378D116CAEA}

Account Whose Credentials Were Used:
	Account Name:		igor.ilyin
	Account Domain:		ITSS
	Logon GUID:		{834EC459-3CEB-FFAC-3BDE-5C50389272A5}

Target Server:
	Target Server Name:	localhost
	Additional Information:	localhost

Process Information:
	Process ID:		0x4f0
	Process Name:		C:\Windows\System32\svchost.exe

Network Information:
	Network Address:	10.154.14.26
	Port:			0

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
===========================
Description template stored in adtschema.dll:
===========================
A logon was attempted using explicit credentials.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4
	Logon GUID:		%5

Account Whose Credentials Were Used:
	Account Name:		%6
	Account Domain:		%7
	Logon GUID:		%8

Target Server:
	Target Server Name:	%9
	Additional Information:	%10

Process Information:
	Process ID:		%11
	Process Name:		%12

Network Information:
	Network Address:	%13
	Port:			%14

This event is generated when a process attempts to log on an account by explicitly specifying that account s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
    Log Type: Windows Event Log
     Uniquely Identified By:
    Log Name: Security
    Filtering Field Equals to Value
    OSVersion Windows Vista (2008)
    Windows 7 (2008 R2)
    Windows 8 (2012)
    Windows 8.1 (2012 R2)
    Windows 10 (2016)
    Category Logon/Logoff
    Source Microsoft-Windows-Security-Auditing
    TaskCategory Logon
    EventId 4648
    Field Matching
    FieldDescriptionStored inSample Value
    DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
    Source Name of an Application or System Service originating the event. Source Security
    Type Warning, Information, Error, Success, Failure, etc. Type Success
    User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
    Computer Name of server workstation where event was logged. Computer DC1
    EventID Numerical ID of event. Unique within one Event Source. EventId 576
    Description The entire unparsed event message. Description Special privileges assigned to new logon.
    Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
    Task Category A name for a subclass of events within the same Event Source. TaskCategory
    Level Warning, Information, Error, etc. Level
    Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
    Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
    Object Name -
    Whom InsertionString6
    Object Type -
    Class Name -
    Security ID -
    Account Name -
    Account Domain -
    Subject: Security ID InsertionString1 S-1-5-18
    Subject: Account Name InsertionString2 DCC1$
    Subject: Account Domain InsertionString3 LOGISTICS
    Subject: Logon ID InsertionString4 0x3e7
    Subject: Logon GUID InsertionString5 {00000000-0000-0000-0000-000000000000}
    Account Whose Credentials Were Used: Account Name InsertionString6 SYSTEM
    Account Whose Credentials Were Used: Account Domain InsertionString7 NT AUTHORITY
    Account Whose Credentials Were Used: Logon GUID InsertionString8 {00000000-0000-0000-0000-000000000000}
    Target Server: Target Server Name InsertionString9 localhost
    Target Server: Additional Information InsertionString10 localhost
    Process Information: Process ID InsertionString11 0x22c
    Process Information: Process Name InsertionString12 C:\Windows\System32\services.exe
    Network Information: Network Address InsertionString13 -
    Network Information: Port InsertionString14 -
    Comments
    You must be logged in to comment