Event ID: 4696
A primary token was assigned to process
A primary token was assigned to process.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Process Information:
Process ID: %11
Process Name: %12
Target Process:
Target Process ID: %9
Target Process Name: %10
New Token Information:
Security ID: %5
Account Name: %6
Account Domain: %7
Logon ID: %8
This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
IMPORTANT: This event is deprecated starting from Windows 7 and Windows 2008 R2.
Name |
Field |
Insertion String |
OS |
Example |
|
|
Security ID |
SubjectUserSid |
%1 |
Any |
S-1-5-18
|
|
Account Name |
SubjectUserName |
%2 |
Any |
WIN2008$
|
|
Account Domain |
SubjectDomainName |
%3 |
Any |
DOMAIN
|
|
Logon ID |
SubjectLogonId |
%4 |
Any |
0x3e7
|
|
Security ID |
TargetUserSid |
%5 |
Any |
S-1-5-18
|
|
Account Name |
TargetUserName |
%6 |
Any |
dadmin
|
|
Account Domain |
TargetDomainName |
%7 |
Any |
DOMAIN
|
|
Logon ID |
TargetLogonId |
%8 |
Any |
0x1c8c5
|
|
Target Process ID |
TargetProcessId |
%9 |
Any |
0xf40
|
|
Target Process Name |
TargetProcessName |
%10 |
Any |
C:\\Windows\\System32\\WerFault.exe
|
|
Process ID |
ProcessId |
%11 |
Any |
0x698
|
|
Process Name |
TargetProcessName |
%12 |
Any |
C:\\Windows\\System32\\svchost.exe
|
"Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”."
"Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”."
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Process Creation"
LEFT/RIGHT arrow keys for navigation
Back to List