How to grab credentials given when user clicks on run as different user?

Yashwanth Lokam 51 Reputation points
2022-09-28T13:41:46.343+00:00

I have that when we click on run as admin we get an event to credential provider as CPUS_CREDUI. I want to know when we click on run as different user, why aren't we getting an event for credential provider. Is their any way to grab the credentials given by user when he clicks on run as different user?

Thank you in advance

C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,571 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,471 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,021 Reputation points
    2022-09-29T07:21:22.047+00:00

    Hello there,

    The simplest way would be to capture the 4648(S) Event ID and trace the credentials that were being used when this Event ID is triggered.

    This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.

    4648(S): A logon was attempted using explicit credentials. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

    This event is also logged when a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.

    ---------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Yashwanth Lokam 51 Reputation points
    2022-09-29T11:28:30.337+00:00

    How to capture the event and trace the values?