Windows Security Log Event ID 609

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4705  

609: User Right Removed

On this page

A user right was revoked from the Removed From user or group. See event 608 for a full explanation.

Note: This event and 609 do not log changes to logon rights such as "Access this computer from the network" or "Logon as a service". See events 621 and 622
 

User Rights

User Right
Description
SeTcbPrivilege
Act as part of the operating system
SeMachineAccountPrivilege
Add workstations to domain
SeIncreaseQuotaPrivilege
Adjust memory quotas for a process
SeBackupPrivilege
Back up files and directories
SeChangeNotifyPrivilege
Bypass traverse checking
SeSystemtimePrivilege
Change the system time
SeCreatePagefilePrivilege
Create a pagefile
SeCreateTokenPrivilege
Create a token object
SeCreatePermanentPrivilege
Create permanent shared objects
SeDebugPrivilege
Debug programs
SeEnableDelegationPrivilege
Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege
Force shutdown from a remote system
SeAuditPrivilege
Generate security audits
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
SeLoadDriverPrivilege
Load and unload device drivers
SeLockMemoryPrivilege
Lock pages in memory
SeSecurityPrivilege
Manage auditing and security log
SeSystemEnvironmentPrivilege
Modify firmware environment values
SeManageVolumePrivilege
Perform volume maintenance tasks
SeProfileSingleProcessPrivilege
Profile single process
SeSystemProfilePrivilege
Profile system performance
SeUndockPrivilege
Remove computer from docking station
SeAssignPrimaryTokenPrivilege
Replace a process level token
SeRestorePrivilege
Restore files and directories
SeShutdownPrivilege
Shut down the system
SeSyncAgentPrivilege
Synchronize directory service data
SeTakeOwnershipPrivilege
Take ownership of files or other objects

Free Security Log Resources by Randy

Description Fields in 609

  • User Right: (system name of privilege)
  • Removed From:
  • Removed By
  • User Name:
  • Domain:
  • Logon ID:

Supercharger Enterprise


 

Examples of 609

User Right Removed:
  User Right: SeManageVolumePrivilege
  Removed From: ACME\wsmith
  Removed By:
    User Name: administrator
    Domain:  ACME
    Logon ID: (0x0,0x12526E)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!