Windows Event ID 4724: An attempt was made to reset an account's password
Windows Security Event ID 4724 records an attempt to reset another account's password and is important for account-takeover investigations.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is logged when an administrator, helpdesk workflow, or other principal resets a user password rather than changing its own password.
Key Fields
Subject
The identity that attempted the reset. Confirm it is an approved administrator or identity-management process.
Target Account
The account whose password was reset. Privileged, service, and recently created accounts deserve special attention.
Status
The operation result. Failed resets can reveal attempted but blocked account abuse.
Common False Positives
- Helpdesk and self-service identity workflows legitimately reset passwords.
- Emergency access procedures may reset privileged accounts during incidents.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
- T1078Valid Accounts
Detection Notes
T1098 Account Manipulation is signaled when Subject resets a privileged or service Target Account and Status is 0x0, followed by 4624 from a new Client Address. A successful reset outside approved helpdesk workflows gives an attacker a new valid credential, unlike a failed policy attempt.
SecurityEvent
| where EventID == 4724
| project TimeGenerated, Computer, Account, TargetAccount, Activity, Status
| order by TimeGenerated descindex=wineventlog EventCode=4724
| table _time, host, SubjectUserName, TargetUserName, StatusSubject: CORP\helpdesk01
Target Account: CORP\admin.ops
Status: 0x0