ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs for password change monitoring in a cybersecurity operations center
Event ID 4782InformationSecurityWindows

Windows Event ID 4782 – Security: User Account Password Changed

Event ID 4782 logs when a user account password is changed by an administrator or through administrative tools. This security audit event tracks password modifications for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4782Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4782 represents a fundamental security audit event in Windows environments, specifically designed to track administrative password changes across the infrastructure. When an administrator resets a user's password through Active Directory Users and Computers, PowerShell cmdlets, or other administrative tools, Windows logs this event to maintain a comprehensive audit trail.

The event structure contains multiple fields that provide forensic-level detail about the password change operation. The Subject section identifies who performed the action, including their Security ID, account name, domain, and logon ID. The Target Account section specifies which user account was modified, while the Process Information section reveals which application or service initiated the change.

This event plays a crucial role in security monitoring frameworks, particularly in environments with strict compliance requirements like SOX, HIPAA, or PCI-DSS. Security Information and Event Management (SIEM) systems frequently monitor Event ID 4782 to detect suspicious administrative activities, such as mass password resets or unauthorized privilege escalation attempts.

The event also supports forensic investigations by providing timestamps, source workstation information, and correlation data that helps reconstruct the sequence of administrative actions. In 2026, with enhanced Windows security features, this event has become even more detailed, including additional context about the authentication methods used and the security policies applied during the password change operation.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator resetting user password through Active Directory Users and Computers
  • PowerShell cmdlets like Set-ADAccountPassword or Set-LocalUser being executed
  • Password reset operations through Microsoft 365 Admin Center for hybrid accounts
  • Automated password management tools performing scheduled password rotations
  • Help desk applications or identity management systems changing passwords
  • Group Policy-enforced password changes on service accounts
  • Emergency password resets during security incident response
  • Bulk password operations using administrative scripts or tools
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the context of the password change.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4782 in the Event IDs field and click OK
  5. Double-click on an Event ID 4782 entry to view detailed information
  6. Review the following key fields:
    • Subject: Who performed the password change
    • Target Account: Which account was modified
    • Process Information: What tool was used
    • Logon ID: Session identifier for correlation
  7. Check the timestamp to correlate with other security events
  8. Note the Workstation Name if present to identify the source system
Pro tip: Use the Details tab in XML view to see all available fields, including some that may not display in the General tab.
02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze Event ID 4782 entries for patterns or specific accounts.

  1. Open PowerShell as Administrator
  2. Query recent password change events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events for a specific target account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} | Where-Object {$_.Message -like "*TargetUserName*"} | Select-Object TimeCreated, Message
  4. Extract detailed information using XML parsing:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} -MaxEvents 20
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    Write-Output "Time: $($Event.TimeCreated)"
    Write-Output "Subject: $($EventData | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text')"
    Write-Output "Target: $($EventData | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text')"
    Write-Output "---"
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} | Export-Csv -Path "C:\Temp\PasswordChanges.csv" -NoTypeInformation
Warning: Large Security logs can impact performance. Use -MaxEvents parameter to limit results when querying busy domain controllers.
03

Correlate with Related Security Events

Investigate Event ID 4782 alongside related events to build a complete picture of the administrative activity.

  1. Query for logon events that correlate with the password change:
    $PasswordEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} -MaxEvents 10
foreach ($Event in $PasswordEvents) {
    $XML = [xml]$Event.ToXml()
    $LogonId = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'}).'#text'
    Write-Output "Password change at: $($Event.TimeCreated)"
    Write-Output "Looking for logon events with LogonId: $LogonId"
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} | Where-Object {$_.Message -like "*$LogonId*"} | Select-Object TimeCreated, Id, Message
}
  2. Check for privilege use events (Event ID 4672) that may precede password changes:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1)} | Select-Object TimeCreated, Message
  3. Look for process creation events (Event ID 4688) to identify tools used:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*dsa.msc*" -or $_.Message -like "*powershell*"} | Select-Object TimeCreated, Message
  4. Create a timeline of related events:
    $StartTime = (Get-Date).AddHours(-2)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4672,4782,4688; StartTime=$StartTime} | Sort-Object TimeCreated
$Events | Select-Object TimeCreated, Id, LevelDisplayName | Format-Table -AutoSize
Pro tip: Use the LogonId field to correlate all activities within the same logon session for comprehensive investigation.
04

Configure Advanced Auditing and Monitoring

Set up comprehensive monitoring for password change events to improve security posture and compliance reporting.

  1. Verify audit policy settings using Group Policy or local policy:
    auditpol /get /subcategory:"User Account Management"
  2. Enable detailed auditing if not already configured:
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
  3. Configure Windows Event Forwarding to centralize logs:
    • Open Group Policy Management
    • Navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsEvent Forwarding
    • Configure Configure target Subscription Manager
  4. Set up custom event log forwarding for Event ID 4782:
    <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4782)]]</Select>
  </Query>
</QueryList>
  5. Create a scheduled task to monitor and alert on suspicious patterns:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorPasswordChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
Register-ScheduledTask -TaskName "Monitor Password Changes" -Action $Action -Trigger $Trigger -RunLevel Highest
  6. Configure Security log size to ensure adequate retention:
    wevtutil sl Security /ms:1073741824
Warning: Increasing audit logging can significantly impact system performance and storage requirements. Monitor disk space and performance after enabling detailed auditing.
05

Implement SIEM Integration and Automated Response

Deploy advanced monitoring and automated response capabilities for Event ID 4782 in enterprise environments.

  1. Configure Windows Event Collector (WEC) for centralized collection:
    wecutil cs C:\Config\PasswordChangeSubscription.xml
  2. Create a PowerShell script for real-time monitoring and alerting:
    # Monitor-PasswordChanges.ps1
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4782" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $Message = "Password changed for account: $($Event.Message)"
    Write-EventLog -LogName Application -Source "PasswordMonitor" -EventId 1001 -Message $Message
    # Send notification to SIEM or security team
}
  3. Set up custom Windows Performance Toolkit (WPT) traces for detailed analysis:
    wpr -start GeneralProfile -start CPU -start DiskIO
  4. Configure integration with Microsoft Sentinel or third-party SIEM:
    • Install and configure the Log Analytics agent
    • Create custom log collection rules for Event ID 4782
    • Set up KQL queries for pattern detection
  5. Implement automated response workflows:
    # Example: Disable account if suspicious password change pattern detected
$SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} | Where-Object {$_.TimeCreated -gt (Get-Date).AddMinutes(-5)}
if ($SuspiciousEvents.Count -gt 10) {
    # Trigger security response
    Write-EventLog -LogName Application -Source "SecurityResponse" -EventId 2001 -Message "Suspicious password change activity detected"
}
  6. Create compliance reports using PowerShell:
    $Report = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782; StartTime=(Get-Date).AddDays(-30)} | Group-Object {$_.TimeCreated.Date} | Select-Object Name, Count
$Report | Export-Csv -Path "C:\Reports\MonthlyPasswordChanges.csv" -NoTypeInformation
Pro tip: Use machine learning algorithms in your SIEM to establish baseline patterns for password changes and detect anomalies automatically.

Overview

Event ID 4782 fires whenever a user account password gets changed through administrative actions or tools. This security audit event appears in the Security log and provides detailed information about who changed the password, which account was modified, and when the change occurred. Unlike Event ID 4723 which logs user-initiated password changes, Event ID 4782 specifically tracks administrative password modifications.

This event becomes critical for security teams monitoring privileged account activities and compliance requirements. The event captures both successful password changes and provides audit trails for forensic investigations. Windows generates this event on domain controllers, member servers, and workstations when local account passwords are modified by administrators.

The event includes valuable metadata such as the subject who performed the change, the target account, logon session details, and process information. Security teams rely on this event to detect unauthorized password modifications, track administrative activities, and maintain compliance with security policies that require password change auditing.

Frequently Asked Questions

What is the difference between Event ID 4782 and Event ID 4723?+
Event ID 4782 logs administrative password changes where an administrator or system changes another user's password, while Event ID 4723 logs when users change their own passwords. Event 4782 typically indicates privileged operations and is more critical for security monitoring since it involves administrative access. The event structure also differs - 4782 includes more detailed information about the administrative context and the tools used for the password change.
Why am I not seeing Event ID 4782 in my Security log?+
Event ID 4782 requires specific audit policy settings to be enabled. Check that 'Audit User Account Management' is configured for both success and failure events using 'auditpol /get /subcategory:"User Account Management"'. On domain controllers, this auditing is typically enabled by default, but on member servers and workstations, you may need to configure it through Group Policy. Also ensure that the Security log has sufficient size and retention settings to capture these events.
How can I identify bulk password changes or potential security incidents using Event ID 4782?+
Monitor for unusual patterns such as multiple Event ID 4782 entries within short time periods, password changes occurring outside normal business hours, or changes performed by accounts that don't typically have administrative privileges. Use PowerShell to group events by time periods and count occurrences: 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4782} | Group-Object {$_.TimeCreated.Hour} | Sort-Object Count -Descending'. Set up alerts when the count exceeds normal baselines for your environment.
What information does Event ID 4782 provide for forensic investigations?+
Event ID 4782 provides comprehensive forensic data including the exact timestamp of the password change, the Security ID and account name of who performed the change, the target account that was modified, the logon session ID for correlation with other events, process information showing which tool was used, and workstation details if available. This information allows investigators to reconstruct the complete chain of events, identify the source of administrative actions, and correlate with other security events for comprehensive incident analysis.
How should I configure retention and storage for Event ID 4782 logs in compliance environments?+
For compliance environments, configure the Security log with adequate size (typically 1GB or larger) and set retention policies based on regulatory requirements - often 90 days to 7 years depending on the compliance framework. Use Windows Event Forwarding to centralize logs to dedicated log servers with appropriate backup and archival systems. Consider implementing log integrity protection using features like Windows Event Log Forwarding with authentication, and ensure logs are stored in tamper-evident systems. Document your retention policies and regularly test log retrieval procedures for audit purposes.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4782 and related user account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies to capture security events like password changes.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4782#security-auditing#password-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...