Event ID 4696

A primary token was assigned to process 

A primary token was assigned to process.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Process Information:
    Process ID:         %11
    Process Name:       %12

Target Process:
    Target Process ID:   %9
    Target Process Name: %10

New Token Information:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8


This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.

IMPORTANT: This event is deprecated starting from Windows 7 and Windows 2008 R2.

Microsoft Documentation

Event ID - 4696



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any WIN2008$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Security ID TargetUserSid %5 Any S-1-5-18
Account Name TargetUserName %6 Any dadmin
Account Domain TargetDomainName %7 Any DOMAIN
Logon ID TargetLogonId %8 Any 0x1c8c5
Target Process ID TargetProcessId %9 Any 0xf40
Target Process Name TargetProcessName %10 Any C:\\Windows\\System32\\WerFault.exe
Process ID ProcessId %11 Any 0x698
Process Name TargetProcessName %12 Any C:\\Windows\\System32\\svchost.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Process Creation"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Detailed Tracking

Audit Subcategory:
Process Creation
Legacy Events:
600

LEFT/RIGHT arrow keys for navigation

Back to List