Event ID: 4674

An operation was attempted on a privileged object

An operation was attempted on a privileged object.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Object Handle:      %8

Process Information:
    Process ID:         %11
    Process Name:       %12

Requested Operation:
    Desired Access:     %9
    Privileges:         %10
Microsoft Documentation

Event ID - 4674

This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.

This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.

Failure event generates when operation attempt fails.

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-19
Account Name SubjectUserName %2 Any LOCAL SERVICE
Account Domain SubjectDomainName %3 Any NT AUTHORITY
Logon ID SubjectLogonId %4 Any 0x3e5
Object Server ObjectServer %5 Any LSA
Object Type ObjectType %6 Any -
Object Name ObjectName %7 Any -
Object Handle HandleId %8 Any 0x0
Desired Access AccessMask %9 Any 16777216
Privileges PrivilegeList %10 Any View Codes
Process ID ProcessId %11 Any 0x1f0
Process Name ProcessName %12 Any C:\\Windows\\System32\\lsass.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Sensitive Privilege Use"
How to enable Windows Auditing

LEFT/RIGHT arrow keys for navigation

Back to List