Event ID: 4674

An operation was attempted on a privileged object 

An operation was attempted on a privileged object.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Object Handle:      %8

Process Information:
    Process ID:         %11
    Process Name:       %12

Requested Operation:
    Desired Access:     %9
    Privileges:         %10


This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.

This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.

Failure event generates when operation attempt fails.

Auditing:     Conditional


Volume:     Medium High Very High


Microsoft Documentation

Event ID - 4674



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-19
Account Name SubjectUserName %2 Any LOCAL SERVICE
Account Domain SubjectDomainName %3 Any NT AUTHORITY
Logon ID SubjectLogonId %4 Any 0x3e5
Object Server ObjectServer %5 Any LSA
Object Type ObjectType %6 Any View Codes
Object Name ObjectName %7 Any -
Object Handle HandleId %8 Any 0x0
Desired Access AccessMask %9 Any 16777216
Privileges PrivilegeList %10 Any View Codes
Process ID ProcessId %11 Any 0x1f0
Process Name ProcessName %12 Any C:\\Windows\\System32\\lsass.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Sensitive Privilege Use"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Failure Audit Success
Audit Category:
Privilege Use

Audit Subcategory:
Sensitive Privilege Use
Legacy Events:
578

LEFT/RIGHT arrow keys for navigation

Back to List