4648: A Logon was Attempted Using Explicit Credentials [Fix]

Someone how tried to gain access to your network, so act now

Reading time icon 5 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • If you see Event ID 4648 on your computer’s event logs, take that as a warning that someone has tried to gain access to your computer or network.
  • Double-check if the person in question may be using new credentials or is a bad actor trying to steal data.
  • If it is a bad actor, you must quickly protect your computer by activating your router’s firewall.

Event ID 4648 isn’t an error, per se, as it’s the intended result of someone trying to enter a network server using different or new credentials. It’s supposed to block you from entering; that’s its purpose.

This Event ID is a problem because it’s a sign that someone has or is trying to hack into your computer. To help out, we’ll show you what you can do to address this problem and beef up security.

How can I protect my computer when Event ID 4648 appears?

1. Check event logs

  1. Open the Windows Search bar and bring up Event Viewer.
  2. Expand Windows Logs in the left-hand menu and select Security.
  3. Scroll through the various logs and locate one with Event ID 4648. This guide doesn’t have that but let’s say it does as an example.
  4. Once you locate a log with Event ID 4648, make note of the Account Name that attempted to log in.

This solution and the next one go hand in hand. The purpose of the first is to do a bit of threat hunting, or in other words, figure out who is trying to gain access.

2. Remove account credentials

  1. Bring up the Control Panel and ensure the View By entry in the upper right corner is set to Large Icons.
  2. Select User Accounts.
  3. Click Manage your credential on the left-hand side.
  4. Select Windows Credentials in the new window.
  5. Expand the user account you don’t recognize or no longer want. In the dropdown, click Remove to get rid of that user.

This solution is meant to remove users from a network that you no longer want them to have access to. External people or bad actors require another approach.

3. Change your Wi-Fi password

  1. Open up Control Panel and change the View By entry to Category.
  2. Select Network and Internet, then Network and Sharing Center.
  3. Click Change adapter settings.
  4. Right-click your Wi-Fi connect, and in the context menu, select Status.
  5. Click the Wireless Properties button then go to the Security tab in the following window.
  6. Enter a new password in the Network security key entry. Click OK to finish.

4. Disable Remote Access

  1. Open the Settings app, stay on the System tab, and scroll down to Remote Desktop.
  2. In this new section, toggle the switch next to Remote Desktop in order to disable the feature.
  3. To disable the feature, first, open the Registry Editor. Select Yes if the User Account Control asks if you want to make any changes.
  4. Enter the following in the Registry Editor and press Enter: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
  5. Double-click fDenyTSConnections to open it.
  6. Set the value data to 1, then click OK to finish up.

You can also:

  • Turn on your firewall. That is the easiest thing that you can do. Can’t turn on Windows Firewall? Check out these fixes and get things back to normal.
  • Download the latest Windows update so your computer has the latest protections available. Microsoft consistently cracks them out.
  • Limit the number of people who can access your network. The more people on the network, the higher the risk a bad actor will gain access.
  • Move the Wi-Fi router to a different part of the house. If it is by a wall, someone from outside will have an easier time gaining access to your house network.

How can someone gain access to my Windows 11 computer?

A lot of the time, whenever people wonder how a hacker got into their machine, they usually think that person cracked open the computer’s tough defenses.

That’s certainly possible, but the more likely reason is that your computer’s or network’s own security is rather lacking.

  • Your router’s firmware is out of date: Make sure to keep all of your systems up to date. Updating a router’s firmware requires you to connect it directly to your computer.
  • Your router’s firewall is turned off: This is by far the worst gap you can have in your network’s security. Turn the firewall quickly, but be aware you have trouble accessing the router’s page.
  • The computer is out of date: Every month, Microsoft has a Patch Tuesday where it rolls out a variety of fixes. We recommend staying up to date with those patches to protect your computer.
  • You have too many people connected to the network: Not everyone will stay mindful of their device’s security. Perhaps you should clear out some users to keep things secure.

Event ID 4648 is just one of many different warning notices on Windows 11. There are two in particular that we want to shout out specifically. The first one is Event ID 157: Disk has been surprise removed.

This warning occurs when interrupts your computer’s communication with a disk and can render a virtual drive unusable. Fixing this may require you to tweak the computer’s registry a little.

The other one is Event ID 7000 which indicates some software services cannot start. We recommend either adjusting with the Group Policy Editor or restarting the offending service.

For fixes and logon errors, you can check our Navigating the Logon Balancing Error 88 in SAP GUI: Our step-by-step solutions guide.

Feel free to comment below if you have questions about other Event IDs. You can also leave comments about guides that you’d like to see or information on other errors.

More about the topics: event log viewers, security