Windows Security Log Event ID 4672
4672: Special privileges assigned to new logon
On this page
- Description of this event
- Field level details
- Discuss this event
- Mini-seminars on this event
This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. For instance you will see event 4672 in close proximity to logon events ( 4624 ) for administrators since administrators have most of these admin-equivalent rights. So, this is a useful right to detecting any "super user" account logons. Of course this right is logged for any server or applications accounts logging on as a batch job (scheduled task) or system service. See Logon Type: on event ID 4624 . You can correlate 4672 to 4624 by Logon ID:. Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows. Admin-equivalent rights are powerful authorities that allow you to circumvent other security controls in Windows. Most admin equivalent privileges are intended for services and applications that interact closely with the operating system. With just a few exceptions, most admin equivalent privileges neither need nor should be granted to human user accounts.
Some Microsoft documentation puts this in the "Sensitive Privilege Use / Non-Sensitive Privilege Use" subcategory. However our testing finds this in the "Special Logon" Category.
Free Security Log Resources by Randy
- Free Security Log Quick Reference Chart
- Windows Event Collection: Supercharger Free Edtion
- Free Active Directory Change Auditing Solution
- Free Course: Security Log Secrets
Description Fields in 4672
The ID and logon session of the administrator-equivalent user that just logged on.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Privileges:
The names of all the admin-equivalent privileges the user held at the time of logon.
Supercharger Enterprise
Load Balancing for Windows Event Collection
Examples of 4672
Special privileges assigned to new logon.
Security ID: WIN-R9H529RIO4Y\Administrator Account Name: Administrator Account Domain: WIN-R9H529RIO4Y Logon ID: 0x4b842
SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection
Go To Event ID: Must be a 1-5 digit number No such event ID
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
4627(S): Group membership information.
- 12 contributors
Subcategory: Audit Group Membership
Event Description:
This event generates with “ 4624 (S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
You must also enable the Success audit for Audit Logon subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.
For recommendations, see Security Monitoring Recommendations for this event.
Required Server Roles: None.
Minimum OS Version: Windows Server 2016, Windows 10.
Event Versions: 0.
Field Descriptions:
Security ID [Type = SID] : SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers .
Account Name [Type = UnicodeString] : the name of the account that reported information about successful logon or invokes it.
Account Domain [Type = UnicodeString] : subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals , such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64] : hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “ 4672 (S): Special privileges assigned to new logon.”
Logon Type [Type = UInt32] : the type of logon which was performed. The table below contains the list of possible values for this field:
Security ID [Type = SID] : SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString] : the name of the account for which logon was performed.
Event in sequence [Type = UInt32] : I f is there is not enough space in one event to put all groups, you will see “ 1 of N ” in this field and additional events will be generated. Typically this field has “ 1 of 1 ” value.
Group Membership [Type = UnicodeString] : the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Security Monitoring Recommendations
For 4627(S): Group membership information.
For this event, also see Appendix A: Security monitoring recommendations for many audit events .
- Typically this action is reported by the NULL SID account, so we recommend reporting all events with “Subject\Security ID” not equal “ NULL SID ”.
- If you need to track that a member of a specific group logged on to a computer, check the “ Group Membership ” field.
Was this page helpful?
Submit and view feedback for
Additional resources
The “Hey, Scripting Guys!” blog has been retired. There are many useful posts in this blog, so we keep the blog here for historical reference. However, some information might be very outdated and many of the links might not work anymore.
New PowerShell content is being posted to the PowerShell Community blog where members of the community can create posts by submitting content in the GitHub repository .
PowerTip: Audit Special Privilege Use with PowerShell
Doctor Scripto
June 24th, 2013 0 0
Summary : Learn how to audit special privilege use with Windows PowerShell.
PS C:> Get-EventLog security -InstanceId 4672 -newest 20| ft timewritten, message -auto -wr
TimeWritten Message
———– ——-
6/19/2013 12:03:01 PM Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Doctor Scripto Scripter, PowerShell, vbScript, BAT, CMD
Comments are closed. Login to edit/delete your existing comments
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
How to tell which service or task caused a certain 4624 logon event?
I found a series of Windows logon events 4624 like this:
Each of them is followed by another 4672 event
From the looks of this, it seems that certain service or scheduled task is causing these logons. I tried to look into Windows Logs\Application and Windows Logs\System but found no event that happened at the same time of these logons. I am confused as to how to locate the service or task that is causing these logons. Any suggestions or hints are welcome. Thanks in advance!
- scheduled-tasks
- event-viewer
The first event is documented by Microsoft in the article 4624(S): An account was successfully logged on .
The Logon Type is 5 , which means "A service was started by the Service Control Manager". As recorded, the event was generated by C:\Windows\System32\services.exe which is the Services Control Manager, that is responsible for running, ending, and interacting with system services.
The subject system service is started with the SYSTEM account, which gives it basically unlimited powers, which causes the issuing of 4672(S): Special privileges assigned to new logon .
The logon process is marked as "advapi", which could mean that the logon was a Web-based logon through the IIS web server and the advapi process. However, this is so only for Logon Type 3 which is a network source. Yours is type 5, which is internal to the computer.
Your computer is probably not infected.
Reference Chapter 5 Logon/Logoff Events .
More information :
This event is described in the article 4624(S): An account was successfully logged on . It is logged for any type of logon.
You can see the provenance of the event from the LogonType field:
- I think it my case it ended up being SSRS which doesn't directly use IIS but has similar OS/http.sys ties. – duct_tape_coder Apr 21, 2022 at 19:14
- 2 It was stated that The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process. Presumably, this knowledge was derived from a Ultimate Windows Security section . In that link, we see that the above fact was indeed mentioned. However, the context was that it was event ID 4624 with logon type 3 . The original post was about logon type 5 . – Brian Lee Sep 6, 2022 at 2:08
- @BrianLee: I missed out on your comment in 2022. Corrected in 2023. – harrymc Oct 8, 2023 at 20:20
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged windows login services scheduled-tasks event-viewer ..
- The Overflow Blog
- Exploring the inclusive tech revolution sponsored post
- Would you trust an AI bot to find the fix for vulnerabilities in your code?
- Featured on Meta
- Site maintenance - Saturday, February 24th, 2024, 14:00 - 22:00 UTC (9 AM - 5...
- Upcoming privacy updates: removal of the Activity data section and Google...
Hot Network Questions
- If making your own microcontroller board, what types of pins may be used as GPIO pins?
- Assign a different color to each face using geometry nodes
- 2016 MIT Aquarium Hunt #3
- Setting priors for categorical variables in bayesian multilevel model analysis with BRMS package (repost)
- What's the word similar to jittery in spelling or pronunciation, but means some privately-run transportation by small vehicles?
- How to generate rolling subsequences into a dataframe in Python
- Legal definition of a "criminal record"
- Odd use(s) of "bauen"
- Why does white light appear white?
- What is a system?
- LaTeX bad neighbours -- how to deal with it
- Is this diesel gun concept feasible?
- Markets in Germany with a large selection of seafood
- Why is post exposure vaccines given for some diseases & why does it work?
- How can I keep the form when I use Expand[2a+3b]^5 and apply to all elements of a list?
- Impact of Ryan and Heninger's CRYPTO 2023 paper on post quantum cryptosystems
- How can Australia can be a member of the Antarctic Treaty while still making a territorial claim in the region?
- If the tidal bulge on the earth speeds the moon up, how does the moon move to a higher orbit?
- Has Biden spent 40% of his presidency on vacation?
- What specifically can’t the Wish spell do?
- Searching title of an old sci-fi B movie with carnivorous aquatic plants
- Confusion over Microfacet-based BRDFs and Normal Distribution Functions
- Possible inconsistencies of the Hamiltonian in the two-body problem
- Early computer art - reproducing Georg Nees "Schotter" and "K27"
- Knowledge Base
Logon Logoff Event: 4672
The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.
Event ID 4672 – Special Privileges Assigned To New Logon
If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
Why does event ID 4672 need to be monitored?
- To ensure a non-administrative account does not have unexpected privileges
- To ensure certain privileges are never granted
- To monitor specific sensitive privileges
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a domain & OU. The advanced Group Policy settings real-time audit reports emphasize on the elusive change details and comprehensively report the assigned special privileges, both old and new.
Event 4672 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.16
- Windows 2016 and 10
Corresponding events in Windows 2003 and before: 576
Explore Active Directory auditing and reporting with ADAudit Plus.
- By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy .
- Track User Administrators
- User Management Reports
- Insider Threat Detection
- Monitor User Logon Actions
- GPO Settings Auditing
- IT Compliance Auditing
- Windows Member Server Auditing
- Windows File Integrity Monitoring
- Security Eventlog Monitoring
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 ( On-Premise | Cloud ) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
- Create Account
- View New Content
- Forum Rules
- BleepingComputer.com
- Startup List
- Virus Removal
- Uninstall List
- Welcome Guide
- → Microsoft Windows Support
- → Windows 7
You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.
Latest News: Hacker arrested for selling bank accounts of US, Canadian users
Featured Deal: Add productivity tools to your laptop with $80 off Kdan Office
Latest Buyer's Guide: DIY VPN: How to make a VPN for enhanced online security
Event viewer - special Logon - NT Authority
- Please log in to reply
#1 Darktune
Very Purple
- 1,139 posts
- Gender: Male
- Location: Wales
- Local time: 08:35 PM
Posted 16 June 2013 - 05:36 AM
Hello,
I turned my PC on this morning and I was logged onto a temporary profile and was a bit confused, so I logged off and logged into my normal user account.
Then i started wondering why It did it so i went into event viewer and noted under security there were a lot of unusual logs some what like this
Keywords Date & Time Source Event ID Task category
Audit success - 16/03/2013 10:19:52 - Microsoft security Auditing - 4672 - Special logon
I have a lot of these and when I click event properties it says the following
I'm not that good with computers so please can someone explain what this is? I am extremely paranoid when it comes to spyware and malware etc.. but I have Comodo firewall install as well as various other firewalls.
It's very hard to imagine a ll the crazy things t hat things really are like.
Electrons act like waves .. n o they don't exactly , t hey act like particles .. n o they don't exactly .
BC AdBot (Login to Remove)
Arachibutyrophobia
- 32,510 posts
- Location: Sierra Foothills of Northern Ca.
- Local time: 12:35 PM
Posted 16 June 2013 - 07:50 AM
This article explains what this is.
Family and loved ones will always be a priority in my daily life. You never know when one will leave you.
#3 Darktune
- Topic Starter
Posted 16 June 2013 - 08:26 AM
Thank you for replying dc3,
what you sent me explains what audit sensitive privileges are, I was wondering what NT authority is doing there
#4 Queen-Evie
Official Bleepin' G.R.I.T.S. (and proud of it)
- Helper Emeritus
- 16,485 posts
- Gender: Female
- Location: My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
- Local time: 01:35 PM
Posted 17 June 2013 - 06:47 PM
NT Authority\SYSTEM a.k.a LocalSystem account is a built-in Windows Account. It is the most powerful account on a Windows local instance (More powerful than any admin account). Most of the System level (Windows Services) services and some other 3rd party services run in the account. You do not have to worry anything about it. http://superuser.com/questions/471769/what-is-the-nt-authority-system-user
#5 Darktune
Posted 17 June 2013 - 06:49 PM
Thank you Queen-Evie. You've been a great help
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
- Privacy Policy
- Rules ·
Community Forum Software by IP.Board
- Need an account? Register now!
- Forum Password I've forgotten my password
- Remember me This is not recommended for shared computers
- Sign in anonymously Don't add me to the active users list
Top Contributors in Windows 7: Bill Smithers - LemP - Canadian Tech ✅
February 14, 2024
Top Contributors in Windows 7:
Bill Smithers - LemP - Canadian Tech ✅
- Search the community and support articles
- Search Community member
Ask a new question
Multiple Logons in Event Viewer
Report abuse, replies (2) .
Run the Microsoft Safety Scanner in full scan mode, and remove all the threats that get detected by it and see if the issue persists.
Microsoft Safety Scanner
Note : The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.
The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.
Hope this information helps.
Was this reply helpful? Yes No
Sorry this didn't help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
Thanks for your feedback.
Question Info
- Security & privacy
- Norsk Bokmål
- Ελληνικά
- Русский
- עברית
- العربية
- ไทย
- 한국어
- 中文(简体)
- 中文(繁體)
- 日本語
IMAGES
VIDEO
COMMENTS
Windows Security 4672 (S): Special privileges assigned to new logon. Article 12/15/2022 12 contributors Feedback Subcategory: Audit Special Logon Event Description: This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session: SeTcbPrivilege - Act as part of the operating system
Subject: The ID and logon session of the administrator-equivalent user that just logged on. Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain or - in the case of local accounts - computer name. Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.
I'm seeing periodic 4672 events (Special Logon) in my Windows Home 10 workstation. ... Special privi0leges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege ...
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". ... Special privileges assigned to new logon." Logon Information [Version 2]: Logon Type [Version 0, 1, 2] [Type = UInt32]: the type of logon that happened. The following table contains the list of possible values for ...
Security 4627 (S): Group membership information. Article 12/15/2022 12 contributors Feedback Subcategory: Audit Group Membership Event Description: This event generates with " 4624 (S): An account was successfully logged on" and shows the list of groups that the logged-on account belongs to.
Source: 4672: Special privileges assigned to new logon This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.
6/19/2013 12:03:01 PM Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
1 Answer Sorted by: 3 The first event is documented by Microsoft in the article 4624 (S): An account was successfully logged on. The Logon Type is 5, which means "A service was started by the Service Control Manager".
As we are collecting events with event code 4672 (Special privileges assigned to new logon), we can perform searches across our fleet to identify where user tokens with the SeDebugPrivilege are generated. An example event: ... In this instance, an administrator user executed psexec to spawn a cmd.exe shell as NT AUTHORITY\SYSTEM. Note the ...
In this example, the event ID 4672 indicates that special privileges (e.g., admin privileges) were assigned to a new logon. Look for event ID 4624 that accompanies this event (with the same TimeCreated date/time) to identify the account invoking this access and the associated network information (workstation name, source network address) to ...
Event ID 4672 - Special Privileges Assigned To New Logon If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.
Special privileges assigned to new logon. Subject: Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges:...
Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege
Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege