Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 552 - Logon attempt using explicit credentials [Win 2003]
EventID 552 - Logon attempt using explicit credentials [Win 2003]
Indicates that a user who is already logged on successfully created another logon session with different user's credentials.

Note:
This event is not logged on Windows 2000 systems.
Typically, this occurs when the user runs the RUNAS command and specifies a different set of credentials

The Logged on user fields specify the user's original credentials.
The Caller Process ID field specifies the process that made the logon request with the new credentials.
The Source Network Address and Source Port fields specify the source IP address and source port number for the remote computer that sent the logon request, if applicable.


Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:



Windows XP Windows 2008


Related events:


In order to find out the name of the program that attempted the logon look earlier in the log for the following event with the same Process ID as in Caller Process ID field:
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Logon/Logoff
        Event ID:       552
        Date:           11/2/2009
        Time:           05:47:29
        User:           RESEARCH\CBrown
        Computer:       DC1
        Description:
        Logon attempt using explicit credentials:
        Logged on user:
        User Name:	CBrown
        Domain:		RESEARCH
        Logon ID:		(0x0,0x697DC)
        Logon GUID:	{dfeb6291-cc82-e563-8c57-a370dbf729a4}
        User whose credentials were used:
        Target User Name:	Paul
        Target Domain:	RESEARCH
        Target Logon GUID: {f6956476-dd7a-df4a-1006-c2026f6e3cc3}

        Target Server Name:	localhost
        Target Server Info:	localhost
        Caller Process ID:	884
        Source Network Address:	-
        Source Port:	-
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Source Security
Category Logon/Logoff
EventId 552
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Domain Domain of the account for which logon is requested. InsertionString2 RESEARCH
User Name The account name of the logged on user InsertionString1 CBrown
Logon ID ID of the logon session of the logged on user. Useful for tracking other user activity within the same logon session. InsertionString3 (0x0,0x697DC)
Logon GUID A globally unique identifier of the logon. For logons that use Kerberos, the logon GUID can be used to associate a logon event on the computer where the logon was initiated with an account logon message on an authenticating computer, such as a domain controller. InsertionString4 {dfeb6291-cc82-e563-8c57-a370dbf729a4}
Target User Name Account name of the user whose credentials were used InsertionString5 Paul
Target Domain Domain of the user whose credentials were used InsertionString6 RESEARCH
Target Logon GUID Globally unique ID of the logon of the user whose credentials were used. Useful for correlating logon events on client computer and domain controller. InsertionString7 {f6956476-dd7a-df4a-1006-c2026f6e3cc3}
Target Server Name The value of this field is always "localhost". InsertionString8 localhost
Target Server Info The value of this field is always "localhost". InsertionString9 localhost
Caller Process ID ID of the process initiating the logon request InsertionString10 884
Source Network Address The IP address of the remote computer that originated the logon request InsertionString11 -
Source Port The source TCP port of the remote computer that originated the logon request InsertionString12 -
Comments
You must be logged in to comment