Event ID: 4672

Special privileges assigned to new logon

Special privileges assigned to new logon.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Privileges:             %5
Microsoft Documentation

Event ID - 4672


Every logon of the SYSTEM account triggers this event.


This event is generated for new account logons whenever one of the following sensitive privileges is assigned to the logon session. For a complete list of privileges see the insertion string below.

Privilege Description
SeTcbPrivilege Act as part of the operating system
SeBackupPrivilege Back up files and directories
SeCreateTokenPrivilege Create a token object
SeDebugPrivilege Debug programs
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeAuditPrivilege Generate security audits
SeImpersonatePrivilege Impersonate a client after authentication
SeLoadDriverPrivilege Load and unload device drivers
SeSecurityPrivilege Manage auditing and security log
SeSystemEnvironmentPrivilege Modify firmware environment values
SeAssignPrimaryTokenPrivilege Replace a process-level token
SeRestorePrivilege Restore files and directories
SeTakeOwnershipPrivilege Take ownership of files or other objects


Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\UserThree
Account Name SubjectUserName %2 Any UserThree
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x345423
Privileges PrivilegeList %5 Any View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Special Logon"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List