Windows Security Log Event ID 609

Operating Systems	Windows Server 2000 Windows 2003 and XP
Category	Policy Change
Type	Success
Corresponding events in Windows 2008 and Vista	4705

609: User Right Removed

On this page

Description of this event
Field level details
Examples

A user right was revoked from the Removed From user or group. See event 608 for a full explanation.

Note: This event and 609 do not log changes to logon rights such as "Access this computer from the network" or "Logon as a service". See events 621 and 622.

User Rights

User Right	Description
SeTcbPrivilege	Act as part of the operating system
SeMachineAccountPrivilege	Add workstations to domain
SeIncreaseQuotaPrivilege	Adjust memory quotas for a process
SeBackupPrivilege	Back up files and directories
SeChangeNotifyPrivilege	Bypass traverse checking
SeSystemtimePrivilege	Change the system time
SeCreatePagefilePrivilege	Create a pagefile
SeCreateTokenPrivilege	Create a token object
SeCreatePermanentPrivilege	Create permanent shared objects
SeDebugPrivilege	Debug programs
SeEnableDelegationPrivilege	Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege	Force shutdown from a remote system
SeAuditPrivilege	Generate security audits
SeIncreaseBasePriorityPrivilege	Increase scheduling priority
SeLoadDriverPrivilege	Load and unload device drivers
SeLockMemoryPrivilege	Lock pages in memory
SeSecurityPrivilege	Manage auditing and security log
SeSystemEnvironmentPrivilege	Modify firmware environment values
SeManageVolumePrivilege	Perform volume maintenance tasks
SeProfileSingleProcessPrivilege	Profile single process
SeSystemProfilePrivilege	Profile system performance
SeUndockPrivilege	Remove computer from docking station
SeAssignPrimaryTokenPrivilege	Replace a process level token
SeRestorePrivilege	Restore files and directories
SeShutdownPrivilege	Shut down the system
SeSyncAgentPrivilege	Synchronize directory service data
SeTakeOwnershipPrivilege	Take ownership of files or other objects

Free Security Log Resources by Randy

Description Fields in 609

User Right: (system name of privilege)
Removed From:
Removed By
User Name:
Domain:
Logon ID:

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

Examples of 609

User Right Removed:
  User Right: SeManageVolumePrivilege
  Removed From: ACME\wsmith
  Removed By:
    User Name: administrator
    Domain:  ACME
    Logon ID: (0x0,0x12526E)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 609

Building a Security Dashboard for Your Senior Executives

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.