Windows Security Log Event ID 4672

4672: Special privileges assigned to new logon

On this page

  • Description of this event
  • Field level details
  • Discuss this event
  • Mini-seminars on this event

This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  For instance you will see event 4672 in close proximity to logon events ( 4624 ) for administrators since administrators have most of these admin-equivalent rights.  So, this is a useful right to detecting any "super user" account logons.  Of course this right is logged for any server or applications accounts logging on as a batch job (scheduled task) or system service.  See Logon Type: on event ID 4624 .  You can correlate 4672 to 4624 by Logon ID:. Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows. Admin-equivalent rights are powerful authorities that allow you to circumvent other security controls in Windows.  Most admin equivalent privileges are intended for services and applications that interact closely with the operating system.  With just a few exceptions, most admin equivalent privileges neither need nor should be granted to human user accounts.

Some Microsoft documentation puts this in the "Sensitive Privilege Use / Non-Sensitive Privilege Use" subcategory. However our testing finds this in the "Special Logon" Category.

Free Security Log Resources by Randy

  • Free Security Log Quick Reference Chart
  • Windows Event Collection: Supercharger Free Edtion
  • Free Active Directory Change Auditing Solution
  • Free Course: Security Log Secrets

Description Fields in 4672

The ID and logon session of the administrator-equivalent user that just logged on.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Privileges:

The names of all the admin-equivalent privileges the user held at the time of logon.

Supercharger Enterprise

special privileges assigned to new logon nt authority

Load Balancing for Windows Event Collection

Examples of 4672

Special privileges assigned to new logon.

Security ID:  WIN-R9H529RIO4Y\Administrator Account Name:  Administrator Account Domain:  WIN-R9H529RIO4Y Logon ID:  0x4b842

SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Go To Event ID: Must be a 1-5 digit number No such event ID

special privileges assigned to new logon nt authority

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

4627(S): Group membership information.

  • 12 contributors

Event 4627 illustration

Subcategory:   Audit Group Membership

Event Description:

This event generates with “ 4624 (S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.

You must also enable the Success audit for Audit Logon subcategory to get this event.

Multiple events are generated if the group membership information cannot fit in a single security audit event.

For recommendations, see Security Monitoring Recommendations for this event.

Required Server Roles: None.

Minimum OS Version: Windows Server 2016, Windows 10.

Event Versions: 0.

Field Descriptions:

Security ID [Type = SID] : SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers .

Account Name [Type = UnicodeString] : the name of the account that reported information about successful logon or invokes it.

Account Domain [Type = UnicodeString] : subject’s domain or computer name. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals , such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

Logon ID [Type = HexInt64] : hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “ 4672 (S): Special privileges assigned to new logon.”

Logon Type [Type = UInt32] : the type of logon which was performed. The table below contains the list of possible values for this field:

Security ID [Type = SID] : SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Account Name [Type = UnicodeString] : the name of the account for which logon was performed.

Event in sequence [Type = UInt32] : I f is there is not enough space in one event to put all groups, you will see “ 1 of N ” in this field and additional events will be generated. Typically this field has “ 1 of 1 ” value.

Group Membership [Type = UnicodeString] : the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Security Monitoring Recommendations

For 4627(S): Group membership information.

For this event, also see Appendix A: Security monitoring recommendations for many audit events .

  • Typically this action is reported by the NULL SID account, so we recommend reporting all events with “Subject\Security ID” not equal “ NULL SID ”.
  • If you need to track that a member of a specific group logged on to a computer, check the “ Group Membership ” field.

Was this page helpful?

Submit and view feedback for

Additional resources

special privileges assigned to new logon nt authority

The “Hey, Scripting Guys!” blog has been retired. There are many useful posts in this blog, so we keep the blog here for historical reference. However, some information might be very outdated and many of the links might not work anymore.

New PowerShell content is being posted to the PowerShell Community blog where members of the community can create posts by submitting content in the GitHub repository .

PowerTip: Audit Special Privilege Use with PowerShell

Doctor Scripto

June 24th, 2013 0 0

Summary : Learn how to audit special privilege use with Windows PowerShell.

Hey, Scripting Guy! Question

PS C:> Get-EventLog security -InstanceId 4672 -newest 20| ft timewritten, message -auto -wr

TimeWritten           Message

———–           ——-

6/19/2013 12:03:01 PM Special privileges assigned to new logon.

                      Subject:

                          Security ID:        S-1-5-18

                          Account Name:        SYSTEM

                          Account Domain:        NT AUTHORITY

                          Logon ID:        0x3e7

                      Privileges:        SeAssignPrimaryTokenPrivilege

                                  SeTcbPrivilege

                                  SeSecurityPrivilege

                                  SeTakeOwnershipPrivilege

                                  SeLoadDriverPrivilege

                                  SeBackupPrivilege

                                  SeRestorePrivilege

                                  SeDebugPrivilege

                                  SeAuditPrivilege

                                  SeSystemEnvironmentPrivilege

                                  SeImpersonatePrivilege

Doctor Scripto Scripter, PowerShell, vbScript, BAT, CMD

Comments are closed. Login to edit/delete your existing comments

light-theme-icon

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to tell which service or task caused a certain 4624 logon event?

I found a series of Windows logon events 4624 like this:

Each of them is followed by another 4672 event

From the looks of this, it seems that certain service or scheduled task is causing these logons. I tried to look into Windows Logs\Application and Windows Logs\System but found no event that happened at the same time of these logons. I am confused as to how to locate the service or task that is causing these logons. Any suggestions or hints are welcome. Thanks in advance!

  • scheduled-tasks
  • event-viewer

Qin Heyang's user avatar

The first event is documented by Microsoft in the article 4624(S): An account was successfully logged on .

The Logon Type is 5 , which means "A service was started by the Service Control Manager". As recorded, the event was generated by C:\Windows\System32\services.exe which is the Services Control Manager, that is responsible for running, ending, and interacting with system services.

The subject system service is started with the SYSTEM account, which gives it basically unlimited powers, which causes the issuing of 4672(S): Special privileges assigned to new logon .

The logon process is marked as "advapi", which could mean that the logon was a Web-based logon through the IIS web server and the advapi process. However, this is so only for Logon Type 3 which is a network source. Yours is type 5, which is internal to the computer.

Your computer is probably not infected.

Reference Chapter 5 Logon/Logoff Events .

More information :

This event is described in the article 4624(S): An account was successfully logged on . It is logged for any type of logon.

You can see the provenance of the event from the LogonType field:

harrymc's user avatar

  • I think it my case it ended up being SSRS which doesn't directly use IIS but has similar OS/http.sys ties. –  duct_tape_coder Apr 21, 2022 at 19:14
  • 2 It was stated that The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process. Presumably, this knowledge was derived from a Ultimate Windows Security section . In that link, we see that the above fact was indeed mentioned. However, the context was that it was event ID 4624 with logon type 3 . The original post was about logon type 5 . –  Brian Lee Sep 6, 2022 at 2:08
  • @BrianLee: I missed out on your comment in 2022. Corrected in 2023. –  harrymc Oct 8, 2023 at 20:20

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows login services scheduled-tasks event-viewer ..

  • The Overflow Blog
  • Exploring the inclusive tech revolution sponsored post
  • Would you trust an AI bot to find the fix for vulnerabilities in your code?
  • Featured on Meta
  • Site maintenance - Saturday, February 24th, 2024, 14:00 - 22:00 UTC (9 AM - 5...
  • Upcoming privacy updates: removal of the Activity data section and Google...

Hot Network Questions

  • If making your own microcontroller board, what types of pins may be used as GPIO pins?
  • Assign a different color to each face using geometry nodes
  • 2016 MIT Aquarium Hunt #3
  • Setting priors for categorical variables in bayesian multilevel model analysis with BRMS package (repost)
  • What's the word similar to jittery in spelling or pronunciation, but means some privately-run transportation by small vehicles?
  • How to generate rolling subsequences into a dataframe in Python
  • Legal definition of a "criminal record"
  • Odd use(s) of "bauen"
  • Why does white light appear white?
  • What is a system?
  • LaTeX bad neighbours -- how to deal with it
  • Is this diesel gun concept feasible?
  • Markets in Germany with a large selection of seafood
  • Why is post exposure vaccines given for some diseases & why does it work?
  • How can I keep the form when I use Expand[2a+3b]^5 and apply to all elements of a list?
  • Impact of Ryan and Heninger's CRYPTO 2023 paper on post quantum cryptosystems
  • How can Australia can be a member of the Antarctic Treaty while still making a territorial claim in the region?
  • If the tidal bulge on the earth speeds the moon up, how does the moon move to a higher orbit?
  • Has Biden spent 40% of his presidency on vacation?
  • What specifically can’t the Wish spell do?
  • Searching title of an old sci-fi B movie with carnivorous aquatic plants
  • Confusion over Microfacet-based BRDFs and Normal Distribution Functions
  • Possible inconsistencies of the Hamiltonian in the two-body problem
  • Early computer art - reproducing Georg Nees "Schotter" and "K27"

special privileges assigned to new logon nt authority

special privileges assigned to new logon nt authority

  • Knowledge Base

Logon Logoff Event: 4672

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

kb-icon-live-demo

Event ID 4672 – Special Privileges Assigned To New Logon

If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain

Why does event ID 4672 need to be monitored?

  • To ensure a non-administrative account does not have unexpected privileges
  • To ensure certain privileges are never granted
  • To monitor specific sensitive privileges

ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a domain & OU. The advanced Group Policy settings real-time audit reports emphasize on the elusive change details and comprehensively report the assigned special privileges, both old and new.

Event 4672 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.16
  • Windows 2016 and 10

Corresponding events in Windows 2003 and before: 576

Explore Active Directory auditing and reporting with ADAudit Plus.

  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy .
  • Track User Administrators
  • User Management Reports
  • Insider Threat Detection
  • Monitor User Logon Actions
  • GPO Settings Auditing
  • IT Compliance Auditing
  • Windows Member Server Auditing
  • Windows File Integrity Monitoring
  • Security Eventlog Monitoring
  • ADManager Plus Active Directory Management & Reporting
  • ADAudit Plus Real-time Active Directory Auditing and UBA
  • EventLog Analyzer Real-time Log Analysis & Reporting
  • ADSelfService Plus Self-Service Password Management
  • AD360 Integrated Identity & Access Management
  • Log360 ( On-Premise | Cloud ) Comprehensive SIEM and UEBA
  • AD Free Tools Active Directory FREE Tools

Log in with Twitter

  • Create Account

Logo

  • View New Content
  • Forum Rules
  • BleepingComputer.com
  • Startup List
  • Virus Removal
  • Uninstall List
  • Welcome Guide

Options arrow

  • → Microsoft Windows Support
  • → Windows 7

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Latest News:     Hacker arrested for selling bank accounts of US, Canadian users

Featured Deal: Add productivity tools to your laptop with $80 off Kdan Office

Latest Buyer's Guide:     DIY VPN: How to make a VPN for enhanced online security

Generic User Avatar

Event viewer - special Logon - NT Authority

  • Please log in to reply

#1 Darktune

Very Purple

 Avatar image

  • 1,139 posts
  • Gender: Male
  • Location: Wales
  • Local time: 08:35 PM

Posted 16 June 2013 - 05:36 AM

Hello, 

I turned my PC on this morning and I was logged onto a temporary profile and was a bit confused, so I logged off and logged into my normal user account.

Then i started wondering why It did it so i went into event viewer and noted under security there were a lot of unusual logs some what like this

Keywords           Date & Time                 Source                                Event ID       Task category

Audit success - 16/03/2013 10:19:52 - Microsoft security Auditing - 4672 -      Special logon

I have a lot of these and when I click event properties it says the following

I'm not that good with computers so please can someone explain what this is? I am extremely paranoid when it comes to spyware and malware etc.. but I have Comodo firewall install as well as various other firewalls. 

It's very hard to imagine a ll the crazy things t hat things really are like. 

Electrons act like waves .. n o they don't exactly , t hey act like particles .. n o they don't exactly .

Back to top of page button

BC AdBot (Login to Remove)

special privileges assigned to new logon nt authority

Arachibutyrophobia

 Avatar image

  • 32,510 posts
  • Location: Sierra Foothills of Northern Ca.
  • Local time: 12:35 PM

Posted 16 June 2013 - 07:50 AM

This  article explains what this is.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

#3 Darktune

  • Topic Starter

Posted 16 June 2013 - 08:26 AM

Thank you for replying dc3,

what you sent me explains what audit sensitive privileges are, I was wondering what NT authority is doing there

#4 Queen-Evie

Official Bleepin' G.R.I.T.S. (and proud of it)

  • Helper Emeritus
  • 16,485 posts
  • Gender: Female
  • Location: My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time: 01:35 PM

Posted 17 June 2013 - 06:47 PM

NT Authority\SYSTEM a.k.a LocalSystem account is a built-in Windows Account. It is the most powerful account on a Windows local instance (More powerful than any admin account). Most of the System level (Windows Services) services and some other 3rd party services run in the account. You do not have to worry anything about it. http://superuser.com/questions/471769/what-is-the-nt-authority-system-user

#5 Darktune

Posted 17 June 2013 - 06:49 PM

Thank you Queen-Evie. You've been a great help

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  • Privacy Policy
  • Rules ·

Go to top of page image

Community Forum Software by IP.Board

Twitter

  • Need an account? Register now!
  • Forum Password I've forgotten my password
  • Remember me This is not recommended for shared computers
  • Sign in anonymously Don't add me to the active users list

special privileges assigned to new logon nt authority

Top Contributors in Windows 7: Bill Smithers  -  LemP  -  Canadian Tech   ✅

February 14, 2024

Top Contributors in Windows 7:

Bill Smithers  -  LemP  -  Canadian Tech   ✅

  • Search the community and support articles
  • Search Community member

Ask a new question

Multiple Logons in Event Viewer

Report abuse, replies (2) .

Jessen P

Run the Microsoft Safety Scanner in full scan mode, and remove all the threats that get detected by it and see if the issue persists.

Microsoft Safety Scanner

Note : The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.

Hope this information helps.

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Question Info

  • Security & privacy
  • Norsk Bokmål
  • Ελληνικά
  • Русский
  • עברית
  • العربية
  • ไทย
  • 한국어
  • 中文(简体)
  • 中文(繁體)
  • 日本語

IMAGES

  1. Special privileges assigned to new logon by Price Jennifer

    special privileges assigned to new logon nt authority

  2. Sentinel: Steps to setup NT AUTHORITY\NetworkService as the logon

    special privileges assigned to new logon nt authority

  3. Sentinel: Steps to setup NT AUTHORITY\NetworkService as the logon

    special privileges assigned to new logon nt authority

  4. Sentinel: Steps to setup NT AUTHORITY\NetworkService as the logon

    special privileges assigned to new logon nt authority

  5. Sentinel: Steps to setup NT AUTHORITY\NetworkService as the logon

    special privileges assigned to new logon nt authority

  6. Sentinel: Steps to setup NT AUTHORITY\NetworkService as the logon

    special privileges assigned to new logon nt authority

VIDEO

  1. Emergency, Hundreds of A-10 Thunderbolt II Deployed to the Philippine Border for Air Combat Training

  2. Teenpatti Master New App Superwin Real proof

  3. Single Mom Life, Harvest Cassava Roots To Cook Pig Bran Take Care Of The Vegetable

  4. Save The Dog Game

  5. CM NEIPHIU RIO ASSIGN NDPP MLA WANGPANG KONYA AS SOCIAL WELFARE ADV

  6. Kutte Ko Maarna Kaisa Hai Agar Wo Murgi Wagerah Khaa Jaaye Ya Hame Takleef Pahunchaye? By Dr.Naseem

COMMENTS

  1. 4672(S) Special privileges assigned to new logon.

    Windows Security 4672 (S): Special privileges assigned to new logon. Article 12/15/2022 12 contributors Feedback Subcategory: Audit Special Logon Event Description: This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session: SeTcbPrivilege - Act as part of the operating system

  2. Windows Security Log Event ID 4672

    Subject: The ID and logon session of the administrator-equivalent user that just logged on. Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain or - in the case of local accounts - computer name. Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.

  3. Periodic 4672 events with Account Name: SYSTEM

    I'm seeing periodic 4672 events (Special Logon) in my Windows Home 10 workstation. ... Special privi0leges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege ...

  4. 4624(S) An account was successfully logged on.

    For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". ... Special privileges assigned to new logon." Logon Information [Version 2]: Logon Type [Version 0, 1, 2] [Type = UInt32]: the type of logon that happened. The following table contains the list of possible values for ...

  5. 4627(S) Group membership information.

    Security 4627 (S): Group membership information. Article 12/15/2022 12 contributors Feedback Subcategory: Audit Group Membership Event Description: This event generates with " 4624 (S): An account was successfully logged on" and shows the list of groups that the logged-on account belongs to.

  6. login

    Source: 4672: Special privileges assigned to new logon This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.

  7. PowerTip: Audit Special Privilege Use with PowerShell

    6/19/2013 12:03:01 PM Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege

  8. How to tell which service or task caused a certain 4624 logon event?

    1 Answer Sorted by: 3 The first event is documented by Microsoft in the article 4624 (S): An account was successfully logged on. The Logon Type is 5, which means "A service was started by the Service Control Manager".

  9. Windows Privilege Abuse: Auditing, Detection, and Defense

    As we are collecting events with event code 4672 (Special privileges assigned to new logon), we can perform searches across our fleet to identify where user tokens with the SeDebugPrivilege are generated. An example event: ... In this instance, an administrator user executed psexec to spawn a cmd.exe shell as NT AUTHORITY\SYSTEM. Note the ...

  10. Working with the Event Log, Part 2

    In this example, the event ID 4672 indicates that special privileges (e.g., admin privileges) were assigned to a new logon. Look for event ID 4624 that accompanies this event (with the same TimeCreated date/time) to identify the account invoking this access and the associated network information (workstation name, source network address) to ...

  11. Event ID 4672

    Event ID 4672 - Special Privileges Assigned To New Logon If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.

  12. Event viewer

    Special privileges assigned to new logon. Subject: Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges:...

  13. Multiple Logons in Event Viewer

    Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege

  14. does this mean I was hacked?

    Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege