Windows Security Log Event ID 4673

4673: A privileged service was called

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

Event 4673 indicates that the specified user exercised the user right specified in the Privileges field.

Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows.

Some user rights are logged by this event - others by 4674. Still other, ""high-volume"" rights are not logged when they are exercised unless you enable the security option "Audit: Audit the use of Backup and Restore privilege". 

Unfortunately, Microsoft has overloaded these privileges so that each privilege may govern your authority to perform many different operations and which privilege is required for which operations is not well documented.  Therefore seeing that a privilege was exercised doesn't really tell you much.  In Win2008 this has been improved with better information in the Server: and Service Name: fields.  In general though, I still classify these events as noise.  Microsoft admits: "These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred."

Note: 4673 and 4674 do not log any activity associated with Logon Rights such as the SeNetworkLogonRight. Do not confuse events 4673 and 4674 with events  4717 and 4718 which document rights assignment changes as opposed to the exercise of rights which is the purpose of events 4673 and 4674. 

Subject:

The ID and logon session of the user that excercised the right. 

• Security ID:  The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or - in the case of local accounts - computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Service:

These fields help you narrow down what the user exercised the the right for. 

• Server: The system component affected
• Service Name: The operation affected

Start a discussion below if you have information on these fields!

Process Information:

These fields tell you the program that exercised the right. The Process Name identifies the program executable.  Process ID is the process ID specified when the executable started as logged in 4688.

Service Request Information: Privileges: The names of the privileges just exercised

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4673

Subject:

•  Security ID:  %1
•  Account Name:  %2
•  Account Domain:  %3
•  Logon ID:  %4

Service:

•  Server: %5
•  Service Name: %6

Process:

•  Process ID: %8
•  Process Name: %9

Service Request Information:

•  Privileges:  %7

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy