Share via

Logon Event (Event ID 4648). Events only log during a successful remote desktop in to the computer.

Anonymous
2024-08-02T15:20:19+00:00

We have a computer that isn't allowed to be connected to the internet but we have it set up so that we can remote in to it to work on it. It is not connected to our domain at all but is still throwing this logon error despite no one trying to log in with this username.

Here is an image with the event viewer and how much it logs and how consistently:https://i.imgur.com/oRG3I5A.png

Things I have looked at

  • Not connected to work domain
  • Not a current user that is allowed locally or even exists locally
  • Doesn't show anywhere in the Registry
  • Can't find any files relating or calling for the account credentials to an attempt a login.
  • No Task Scheduled using this username

A logon was attempted using explicit credentials.

Subject:

Security ID:		PCName\hoursmain

Account Name:		hoursmain

Account Domain:		PCName

Logon ID:		0xD44BE

Logon GUID:		{00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:

Account Name:		jeffd

Account Domain:		PCName

Logon GUID:		{00000000-0000-0000-0000-000000000000}

Target Server:

Target Server Name:	xxxx

Additional Information:	xxxx

Process Information:

Process ID:		0x4

Process Name:

Network Information:

Network Address:	192.168.1.205

Port:			445

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

***moved from Windows / Windows 10 / Security and privacy***

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-08-05T17:00:58+00:00

    Hello,

    According to the log information you provided, port 445 is enabled, which indicates that the login may be related to SMB (Server message block). Does the remote host have a network drive or other shared resources? When resources are shared, there may be users using "jeffd" credentials to access them. Check any mapped drives or network resources that may be using these credentials.

    ​At the same time, you can use debugging tools, such as Process Monitor, to monitor system activity and look for behaviors that may be causing the event. If you determine that the process using these credentials is unauthorized, it does not rule out that this may be a malicious act of unauthorized access. Do a full system scan with updated antivirus software and consider resetting your password.

    Reference: SMB sharing not accessible when TCP port 445 listening in Windows Server - Windows Server | Microsoft Learn

    The screenshot you provided seems has expired. If the issue persists, please kindly provide screenshot again so that we can accurately analyze the cause of the problem. Be careful to block personal private information when uploading.

    I hope this helps.

    Best regards

    Jacen

    0 comments