Event ID: 4672

Special privileges assigned to new logon

Special privileges assigned to new logon.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Privileges:             %5

This event is generated for new account logons whenever one of the following sensitive privileges is assigned to the logon session. For a complete list of privileges see the insertion string below.

Privilege Description
SeTcbPrivilege Act as part of the operating system
SeBackupPrivilege Back up files and directories
SeCreateTokenPrivilege Create a token object
SeDebugPrivilege Debug programs
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeAuditPrivilege Generate security audits
SeImpersonatePrivilege Impersonate a client after authentication
SeLoadDriverPrivilege Load and unload device drivers
SeSecurityPrivilege Manage auditing and security log
SeSystemEnvironmentPrivilege Modify firmware environment values
SeAssignPrimaryTokenPrivilege Replace a process-level token
SeRestorePrivilege Restore files and directories
SeTakeOwnershipPrivilege Take ownership of files or other objects
Auditing:     Conditional

Enable auditing if you are utilizing the "Special Groups" windows feature.

Volume:     Low

When "Special Groups" are enabled, volume depends on the configuration and types of users logging on.

Every logon of the SYSTEM account triggers this event.

Microsoft Documentation

Event ID - 4672

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\UserThree
Account Name SubjectUserName %2 Any UserThree
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x345423
Privileges PrivilegeList %5 Any View Codes

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Special Logon"

LEFT/RIGHT arrow keys for navigation

Back to List