Windows Security Log Event ID 4674

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Privilege Use
 • Sensitive Privilege Use
Type Success
Failure
Corresponding events
in Windows 2003
and before
578  

4674: An operation was attempted on a privileged object

On this page

Event 4674 indicates that the specified user exercised the user right specified in the Privileges field.

Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows.

Some user rights are logged by 4674 - others by 4673. Still other, "high-volume" rights are not logged when they are exercised unless you enable the security option "Audit: Audit the use of Backup and Restore privilege". 

Unfortunately, Microsoft has overloaded these privileges so that each privilege may govern your authority to perform many different operations and which privilege is required for which operations is not well documented.  Therefore seeing that a privilege was exercised doesn't really tell you much.  In Win2008 this has been improved with better information in the Server: and Service Name: fields.  In general though, I still classify these events as noise.  Microsoft admits: "These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred."

Note: 4673 and 4674 do not log any activity associated with Logon Rights such as the SeNetworkLogonRight. Do not confuse events 4673 and 4674 with events 4717 and 4718 which document rights assignment changes as opposed to the exercise of rights which is the purpose of events 4673 and 4674.

Free Security Log Resources by Randy

Description Fields in 4674

321Subject:

The ID and logon session of the user that excercised the right.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Object:

These fields help you narrow down what the user exercised the the right for. 

  • Object Server: Seems to always be "Security"
  • Object Type: Seems to always be "-"
  • Object Name: Seems to always be "-"
  • Object Handle: May correspond to the handle of the object upon which the right was exercised.  See event ID 4656


Start a discussion below if you have information on these fields! 

Process Information:

These fields tell you the program that exercised the right.

  • Process ID: the process ID specified when the executable started as logged in 4688.
  • Process Name: identifies the program executable. 

Requested Operation:

  • Desired Access: unknown. 

    Start a discussion below if you have information on this field!

  • Privileges: The names of the privileges just exercised

Supercharger Enterprise


 

Examples of 4674

An operation was attempted on a privileged object.

Subject:

Security ID:  WIN-R9H529RIO4Y\Administrator
Account Name:  Administrator
Account Domain:  WIN-R9H529RIO4Y
Logon ID:  0x19f4c

Object:

Object Server: Win32 SystemShutdown module
Object Type: -
Object Name: -
Object Handle: 0x0

Process Information:

Process ID: 0x1e0
Process Name: C:\Windows\System32\wininit.exe

Requested Operation:

Desired Access: 0
Privileges:  SeShutdownPrivilege

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources