Windows Security Log Event ID 685

Operating Systems Windows 2003 and XP
CategoryAccount Management
Type Success
Corresponding events
in Windows 2008
and Vista		 4781  

685: Account Name Changed

On this page

When an account name is changed, the SID remains the same. However the Target ID in this event indicates the new name. This is because when the operating system displays this event it evidently queries the database where the SID is stored and translates the SID to the domain\username.

A rogue admin might change his account name or computer name seeking to cover his tracks.

Free Security Log Resources by Randy

Description Fields in 685

  •  Old Account Name: %1
  •  New Account Name: %2
  •  Target Domain:  %3
  •  Target Account ID: %4 (the SID or domain\username)
  •  Caller User Name: %5
  •  Caller Domain: %6
  •  Caller Logon ID: %7
  •  Privileges: %8

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 685

Win2003:

Account Name Changed:
  Old Account Name: DC1$
  New Account Name: DC3$
  Target Domain:  ACME
  Target Account ID: ACME\DC3$
  Caller User Name: administrator
  Caller Domain: ACME
  Caller Logon ID: (0x0,0x3C154)
  Privileges: -

WinXP:

Account Name Changed:
  Old Account Name: Guest
  New Account Name: Guest1
  Target Domain:  STG
  Target Account ID: STG\Guest1
  Caller User Name: wsmith
  Caller Domain: STG
  Caller Logon ID: (0x0,0x3013E)
  Privileges: -

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 685
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!