Event-o-Pedia EventID 4648 - A logon was attempted using explicit credentials.

	Event Details
	User Activity->Logons->Successful Logons->Windows 2008->EventID 4648 - A logon was attempted using explicit credentials.

EventID 4648 - A logon was attempted using explicit credentials.

Linked Event:

EventID 4648 - A logon was attempted using explicit credentials.

Sample:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/27/2009 9:53:43 PM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A logon was attempted using explicit credentials.
Subject:
	Security ID:		S-1-5-18
	Account Name:		DCC1$
	Account Domain:		LOGISTICS
	Logon ID:		0x3e7
	Logon GUID:		{00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
	Account Name:		SYSTEM
	Account Domain:		NT AUTHORITY
	Logon GUID:		{00000000-0000-0000-0000-000000000000}
Target Server:
	Target Server Name:	localhost
	Additional Information:	localhost
Process Information:
	Process ID:		0x22c
	Process Name:		C:\Windows\System32\services.exe
Network Information:
	Network Address:	-
	Port:			-
This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Logon/Logoff
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Logon
EventId	4648

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	10.10.2000 19:00:00
Who	Account or user name under which the activity occured.	Subject: Account Name	DCC1$
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Logon with explicit credentials"	Logon with explicit credentials
Where	The name of the workstation/server where the activity was logged.	Computer	DC1
Where From	The name of the workstation/server where the activity was initiated from.	-	10.10.10.10
Severity	Specify the seriousness of the event.	"Medium"	Medium
WhoDomain		Subject: Account Domain	LOGISTICS
WhereDomain		-
Result	Successful or Failed.	"Successful"	Successful
Failure Reason		"Successful"	Successful