Fix: Event ID 4648 A Logon Was Attempted Using Credentials

Someone how tried to gain access to your network, so act now

by Cesar Cadenas
Cesar Cadenas
Cesar Cadenas
Cesar has been writing for and about technology going on for 6 years when he first started writing tech articles for his university paper. Since then, his passion... read more
Reviewed by Alex Serban
Alex Serban
Alex Serban
Windows Server & Networking Expert
After moving away from the corporate work-style, Alex has found rewards in a lifestyle of constant analysis, team coordination and pestering his colleagues. Holding an MCSA Windows Server... read more
Affiliate Disclosure
  • If you see Event ID 4648 on your computer's event logs, take that as a warning that someone has tried to gain access to your computer or network.
  • Double-check if the person in question may be using new credentials or is a bad actor trying to steal data.
  • If it is a bad actor, you must quickly protect your computer by activating your router's firewall.

To fix various PC problems, we recommend Restoro PC Repair Tool:
This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues and remove viruses now in 3 easy steps:

  1. Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
  2. Click Start Scan to find Windows issues that could be causing PC problems.
  3. Click Repair All to fix issues affecting your computer's security and performance
  • Restoro has been downloaded by 0 readers this month.

Event ID 4648 isn’t an error, per se, as it’s the intended result of someone trying to enter a network server using different or new credentials. It’s supposed to block you from entering; that’s its purpose.

The reason this Event ID is a problem is that it’s a sign that someone has or is trying to hack into your computer. To help out, we’ll show you what you can do to address this problem and beef up security.

How can someone gain access to my Windows 11 computer?

A lot of the time whenever people wonder how a hacker got into their machine, they usually think that person cracked open the computer’s tough defenses.

That’s certainly possible, but the more likely reason is that your computer’s or network’s own security is rather lacking.

  • Your router’s firmware is out of date: Make sure to keep all of your systems up to date. Updating a router’s firmware requires you to connect it directly to your computer.
  • Your router’s firewall is turned off: This is by far the worst gap you can have in your network’s security. Turn the firewall quickly, but be aware you have trouble accessing the router’s page.
  • The computer is out of date: Every month, Microsoft has a Patch Tuesday where it rolls out a variety of fixes. We recommend staying up to date with those patches to protect your computer.
  • You have too many people connected to the network: Not everyone will stay mindful of their device’s security. Perhaps you should clear out some users to keep things secure.

How can I protect my computer when Event ID 4648 appears?

The first thing you should do is check your event logs to see who is trying to gain access to your network which we show in the following solutions. After checking, there are a variety of things you can try out to ensure no actor gains access:

  • Turn on your firewall. That is the easiest thing that you can do. Can’t turn on Windows Firewall? Check out these fixes and get things back to normal.
  • Download the latest Windows update, so your computer has the latest protections available. Microsoft consistently cracks them out.
  • Limit the access people have to your network. The more people you have on the network, the higher the risk a bad actor gains access.
  • Move the Wi-Fi router to a different part of the house. If the router is by a wall, someone from outside has an easier chance to gain access to your house network.

1. Check event logs

  1. Open the Windows Search bar and bring up Event Viewer.
  2. Expand Windows Logs in the left-hand menu and select Security.
  3. Scroll through the various logs and locate one with Event ID 4648. This guide doesn’t have that but let’s say it does as an example.
  4. Once you locate a log with Event ID 4648, make note of the Account Name that attempted to log in.

Expert tip:


Some PC issues are hard to tackle, especially when it comes to corrupted repositories or missing Windows files. If you are having troubles fixing an error, your system may be partially broken.
We recommend installing Restoro, a tool that will scan your machine and identify what the fault is.
Click here to download and start repairing.

This solution and the next one go hand in hand. The purpose of the first is to do a bit of threat hunting, or in other words, figure out who is trying to gain access.

2. Remove account credentials

  1. Bring up the Control Panel and ensure the View By entry in the upper right corner is set to Large Icons.
  2. Select User Accounts.
  3. Click Manage your credential on the left-hand side.
  4. Select Windows Credentials in the new window.
  5. Expand the user account you don’t recognize or no longer want. In the dropdown, click Remove to get rid of that user.

This solution is meant for removing users from a network that you no longer want them to have access to. External people or bad actors require another approach.

3. Change your Wi-Fi password

  1. Open up Control Panel and change the View By entry to Category.
  2. Select Network and Internet, then Network and Sharing Center.
  3. Click Change adapter settings.
  4. Right-click your Wi-Fi connect, and in the context menu, select Status.
  5. Click the Wireless Properties button then go to the Security tab in the following window.
  6. Enter a new password in the Network security key entry. Click OK to finish.

4. Disable Remote Access

  1. Open the Settings app, stay on the System tab, and scroll down to Remote Desktop.
  2. In this new section, toggle the switch next to Remote Desktop in order to disable the feature.
  3. To disable the feature, first, open the Registry Editor. Select Yes if the User Account Control asks if you want to make any changes.
  4. Enter the following in the Registry Editor and press Enter: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
  5. Double-click fDenyTSConnections to open it.
  6. Set the value data to 1, then click OK to finish up.

Event ID 4648 is just one of many different warning notices on Windows 11. There are two in particular that we want to shout out specifically. The first one is Event ID 157: Disk has been surprise removed.

This warning occurs when interrupts your computer’s communication with a disk and can render a virtual drive unusable. Fixing this may require you to tweak the computer’s registry a little.

The other one is Event ID 7000 which indicates some software services cannot start. We recommend either making adjustments with the Group Policy Editor or restarting the offending service.

Feel free to comment below if you have any questions about other Event IDs. Also, leave comments about guides that you’d like to see or information on other errors.

Still having issues? Fix them with this tool:


If the advices above haven't solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on to easily address them. After installation, simply click the Start Scan button and then press on Repair All.

This article covers:Topics: