Failure events for 4648 Expand / Collapse
Author
Message
Posted 2/16/2010 10:27:11 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/16/2010 10:14:30 AM
Posts: 3, Visits: 0
Hi I am looking for the failure events for 4638 events (RunAs) any ideas where this lives in 2008?

Thanks

Mark

Post #309
Posted 2/16/2010 10:28:14 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/16/2010 10:14:30 AM
Posts: 3, Visits: 0
Sorry make that 4648.
Post #310
Posted 2/17/2010 9:08:42 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Look for failed 4625 - My testing indicates that Windows does not log failed 4668.  If anyone produces one please send me a copy of the event and the steps to recreate.
Post #312
Posted 9/7/2010 9:03:55 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/7/2010 7:57:02 PM
Posts: 1, Visits: 0
Source: Microsoft-Windows-Security-Auditing
Date: 8/9/2010 6:37:13 PM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Computer_name
Description:
A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: Computer_Name$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x2e8
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.


This is a copy of Security Event Log from my laptop (I changed only the original name of computer to Computer_Name, and Account Name which appears as computer name too to Computer_Name). Can you post an explanations to Event ID:4648.
Post #462
Posted 9/8/2010 5:20:38 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
We are looking for a failed version of this event.  Your example is a succesful
Post #463
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 10:24am