Event ID 4674
An operation was attempted on a privileged objectAn operation was attempted on a privileged object.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Object:
Object Server: %5
Object Type: %6
Object Name: %7
Object Handle: %8
Process Information:
Process ID: %11
Process Name: %12
Requested Operation:
Desired Access: %9
Privileges: %10This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
Failure event generates when operation attempt fails.
Auditing:
Conditional
Volume:
Medium
High
Very High
NIST 800-171: 3.1.7
NIST SP 800-53: AC-6(1), AC-6(2),
CMMC v2 L2: AC-L2-3.1.7
Microsoft Documentation
| Name | Field | Insertion String | OS | Example | ||
|---|---|---|---|---|---|---|
| Security ID | SubjectUserSid | %1 | Any | S-1-5-19 | ||
| Account Name | SubjectUserName | %2 | Any | LOCAL SERVICE | ||
| Account Domain | SubjectDomainName | %3 | Any | NT AUTHORITY | ||
| Logon ID | SubjectLogonId | %4 | Any | 0x3e5 | ||
| Object Server | ObjectServer | %5 | Any | LSA | ||
| Object Type | ObjectType | %6 | Any | View Codes | ||
| Object Name | ObjectName | %7 | Any | - | ||
| Object Handle | HandleId | %8 | Any | 0x0 | ||
| Desired Access | AccessMask | %9 | Any | 16777216 | ||
| Privileges | PrivilegeList | %10 | Any | View Codes | ||
| Process ID | ProcessId | %11 | Any | 0x1f0 | ||
| Process Name | ProcessName | %12 | Any | C:\\Windows\\System32\\lsass.exe | ||
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Sensitive Privilege Use"
LEFT/RIGHT arrow keys for navigation
Back to List