EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4724Audit SuccessSecurity

Windows Event ID 4724Password Reset Attempted

Logged when an administrator resets another user's password. Requires elevated privileges unlike 4723 (self-service change).

Why It Matters

Admin-initiated password resets on sensitive accounts (other admins, service accounts, executives) without a corresponding helpdesk ticket are a red flag — especially if the resetting account was itself recently compromised.

Key Fields

Target Account NameThe account whose password was reset
Subject Account NameThe admin account that performed the reset

Investigation Tips

  1. 1.Verify the reset matches a helpdesk ticket or change record.
  2. 2.Check if the resetting account had its own recent unusual activity (unexpected logons, privilege changes).
  3. 3.Admin account resets of other admin accounts are highest priority to verify.

Related Event IDs

4723Self-service password change
4738User account changed

See Event ID 4724 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects password reset attempted patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →