The Windows Security Log Revealed

Chapter 10
Privilege Use Events

You can use the Privilege Use audit category to track the exercise of user rights. Microsoft uses the terms privilege, right, and permission inconsistently. In the case of this audit category, privilege refers to most of the user rights that you find in the Local Security Policy under Security Settings\Local Policies\User Rights Assignment — with one important exception. Intermingled within those user rights are logon rights. Logon rights such as Allow logon locally and Access this computer from the network are not addressed by the Privilege Use category because they aren’t technically user rights. (To find out when a logon right is exercised, you can refer to the Logon/Logoff category’s Logon subcategory, which we discussed in Chapter 5).

The chart below lists the subcategories of the Privilege Use category, along with the privileges that Microsoft considers Sensitive Privilege Use and Non Sensitive Privilege Use. We have not observed any events in the Non Sensitive Privilege Use subcategory, and most of the listed privileges in this category are not audited.

Privilege Use Subcategories Included Privileges
Sensitive Privilege Use

Act as part of the operating system

Back up files and directories

Create a token object

Debug programs

Enable computer and user accounts to be trusted for delegation

Generate security audits

Impersonate a client after authentication

Load and unload device drivers

Manage auditing and security log

Modify firmware environment values

Replace a process-level token

Restore files and directories

Take ownership of files or other objects

Non Sensitive Privilege Use

Access Credential Manager as a trusted caller

Access this computer from the network

Add workstations to domain

Adjust memory quotas for a process

Allow logon locally

Allow logon through Terminal Services

Bypass traverse checking

Change the system time

Create a pagefile

Create global objects

Create permanent shared objects

Create symbolic links

Deny access this computer from the network

Deny log on as a batch job

Deny log on as a service

Deny log on locally

Deny log on through Terminal Services

Force shutdown from a remote system

Increase a process working set

Increase scheduling priority

Lock pages in memory

Log on as a batch job

Log on as a service

Modify an object label

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Shut down the system

Synchronize directory service data

Other Privilege Use Events

No events in this subcategory

The Privilege Use category logs two events.

Event ID

Title

4673

A privileged service was called

4674

An operation was attempted on a privileged object

For most user rights, Windows logs a Privilege Use event when a user exercises the right. However, some rights are exercised so frequently during the normal course of a user’s activities that the Security log would quickly fill if Windows were to log each use. Therefore Windows doesn’t normally log some rights. Among these high-use rights are Back up files and directories and Restore files and directories. You can force Windows to log these two rights by enabling the Audit: Audit the use of Backup and Restore privilegesecurity option, but enabling this option will result in a Privilege Use event being logged for every single file, folder, and other object during system backups, overwhelming your log with events of questionable value.

Backup and Restore privileges are also used at other times, specifically whenever an application attempts access through the NTFS backup API. For normal user rights, Windows logs either event ID 4673 or event ID 4674 when right is exercised. As mentioned earlier, logon rights are never logged by Privilege Use events: The use of logon rights is documented by Logon/Logoff events. Event ID 4674 has to do with a privilege that is used to access an object. Therefore, this event lists the object name. Event ID 4673 lists the affected process and service name.

System Name of Privilege

Description

Notes

SeTcbPrivilege

Act as part of the operating system

Logged frequently Event 4673

SeMachineAccountPrivilege

Add workstations to domain

Not logged

SeBackupPrivilege

Back up files and directories

Logged only when the Audit the use of Backup and Restore privilege security option is enabled

SeCreatePermanentPrivilege

Create permanent shared objects

 

SeEnableDelegationPrivilege

Enable computer and user accounts to be trusted for delegation

 

SeRemoteShutdownPrivilege

Force shutdown from a remote system

 

SeLoadDriverPrivilege

Load and unload device drivers

 

SeRestorePrivilege

Restore files and directories

Logged only when the Audit the use of Backup and Restore privilege security option is enabled

SeSecurityPrivilege

Manage auditing and Security log

Event 4674

SeShutdownPrivilege

Shut down the system

Event 4674

SeTakeOwnershipPrivilege

Take ownership of files or other objects

Event 4674

 

SeIncreaseBasePriorityPrivilege

Increase Scheduling Priority

Event 4673

By default, the following rights are suppressed and not audited by the Privilege Use category:

  • ChangeNotifyPrivilege
  • AuditPrivilege
  • CreateTokenPrivilege
  • AssignPrimaryTokenPrivilege
  • BackupPrivilege
  • RestorePrivilege
  • DebugPrivilege

Bottom Line

The Privilege Use category generates a lot of noise, and we usually recommend leaving it disabled. In fact, Microsoft’s former Security log guru, Eric Fitzgerald, as much as says that this audit policy and its events are useless because no “central reference” of which operations are controlled by each privilege exists. That lack reduces the value of this category.

Next Chapter

Back to top

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

 

Upcoming Webinars
    Additional Resources