Account Changed

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Account changes, such as password and username changes may indicate a successful breach and a backdoor setup for a user. This log also can be used to track changes for legitimate users.

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4738'}
Check Logging Status
auditpol /get /subcategory:"computer account management"
Disable Logging
auditpol /set /subcategory:"computer account management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"computer account management" /Success:Enable /Failure:Enable
Language: Powershell
Back to Windows

Changes made to an account are logged by default in Windows 10 Professional. To view the logs, navigate to the Event Viewer Security tab and sort of filter by Event ID 4738.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4738'}

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command

wevtutil qe Security "/q:*[System [(EventID=4738)]]""