Windows event log ID 4648 fields- what does “network information” stand for?

  • Thread starter Thread starter DgmVig
  • Start date Start date
D

DgmVig

Guest
As per Microsoft docs, 4648 stands for

"This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."

I am checking through event logs for identifying a security breach, and a 4648 event log is as follows.
A logon was attempted using explicit credentials.

Subject:

Security ID: SYSTEM
Account Name: 1234-PC$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:

Account Name: Administrator
Account Domain: 5678-PC

Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost

Additional Information: localhost

Process Information:
Process ID: 0x1e0f4

Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Network Address: 12.34.56.78
Port: 12345
"

What does "Network Information" in the log stand for? Documentation was not clear for me and certainly 12.34.56.78 is another machine in the network.

Continue reading...
 
You must log in or register to reply here.

Similar threads

C
Windows Hello - A logon was attempted using explicit credentials.
Replies
0
Views
6
Charlie_153
C
S
I am getting excessive User Account Management Event ID 5379 on startup
Replies
0
Views
16
stephencadams
S
C
Windows Hello - A logon was attempted using explicit credentials.
Replies
0
Views
15
Charlie_153
C
S
I am getting excessive User Account Management Event ID 5379 on startup
Replies
0
Views
14
stephencadams
S
B
Tracing the source spurious of logon attempts emmanating from a desktop PC
Replies
0
Views
2
Bernd Wechner
B
Back
Top