Windows Security Log Event ID 4696

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Process Tracking
 • Process Creation
Type Success
Corresponding events
in Windows 2003
and before
600  
Discussions on Event ID 4696
Event ID 5157 and 5152 in security log

4696: A primary token was assigned to process

On this page

This often happens when a service starts or a scheduled task starts under the authority of a different user. You will see events 4624 and 4648 as well as 4776 or 4768 earlier in the log.

The Assigning process fields identify the process that started the child (new) process. Process ID allows you to link this event to the corresponding event 4688 (process start of the parent process) but there is little need since this event gives you the program name (Process Name) and the user under which the process was running (Subject). 

Target Process: information identifies the new child process that was started under the account and logon session in New Token Information. 

You can use the Target Process ID to link back to the earlier 4688 for the new child process ID but again there is little need to do this since you have the Target Process Name: right here in this event.

Free Security Log Resources by Randy

Description Fields in 4696

Subject:

The user and logon session of the parent program.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Process Information:

The parent procress.

  • The Process Name identifies the program executable. 
  • Process ID is the process ID specified when the executable started as logged in 4688.

Target Process Information:

The target procress just created.

  • The Process Name identifies the program executable. 
  • Process ID is the process ID specified when the executable started as logged in 4688.

New Token Information:

The user and logon session of the target program.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 4696

A primary token was assigned to process.

Subject:

Security ID:  SYSTEM
Account Name:  WIN-R9H529RIO4Y$
Account Domain:  WORKGROUP
Logon ID:  0x3e7

Process Information:

Process ID: 0x2e8
Process Name: C:\Windows\System32\svchost.exe

Target Process:

Target Process ID: 0x7e8
Target Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe

New Token Information:

Security ID:  SYSTEM
Account Name:  WIN-R9H529RIO4Y$
Account Domain:  WORKGROUP
Logon ID:  0x3e7

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources