Event ID 4798

A user's local group membership was enumerated 

A user's local group membership was enumerated.

Subject:
    Security ID:    %4
    Account Name:   %5
    Account Domain: %6
    Logon ID:       %7

User:
    Security ID:    %3
    Account Name:   %1
    Account Domain: %2

Process Information:
    Process ID:   %8
    Process Name: %9


This event generates when a process enumerates a user's security-enabled local groups on a computer or device.

Microsoft Documentation

Event ID - 4798



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any Administrator
Account Domain TargetDomainName %2 Any ComputerName
Security ID TargetSid %3 Any S-1-5-21-1694160624-234216347-2203645164-500
Security ID SubjectUserSid %4 Any S-1-5-21-1377283216-344919071-3415362939-1104
Account Name SubjectUserName %5 Any dadmin
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x72d9d
Process ID CallerProcessId %8 Any 0xc80
Process Name CallerProcessName %9 Any C:\Windows\System32\mmc.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
User Account Management

LEFT/RIGHT arrow keys for navigation

Back to List