Windows Security Log Event ID 4696

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Process Tracking • Process Creation
Type	Success
Corresponding events in Windows 2003 and before	600

4696: A primary token was assigned to process

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

This often happens when a service starts or a scheduled task starts under the authority of a different user. You will see events 4624 and 4648 as well as 4776 or 4768 earlier in the log.

The Assigning process fields identify the process that started the child (new) process. Process ID allows you to link this event to the corresponding event 4688 (process start of the parent process) but there is little need since this event gives you the program name (Process Name) and the user under which the process was running (Subject).

Target Process: information identifies the new child process that was started under the account and logon session in New Token Information.

You can use the Target Process ID to link back to the earlier 4688 for the new child process ID but again there is little need to do this since you have the Target Process Name: right here in this event.

Free Security Log Resources by Randy

Description Fields in 4696

Subject:

The user and logon session of the parent program.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Process Information:

The parent procress.

The Process Name identifies the program executable.
Process ID is the process ID specified when the executable started as logged in 4688.

Target Process Information:

The target procress just created.

The Process Name identifies the program executable.
Process ID is the process ID specified when the executable started as logged in 4688.

New Token Information:

The user and logon session of the target program.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

Examples of 4696

A primary token was assigned to process.

Subject:

Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Process Information:

Process ID: 0x2e8
Process Name: C:\Windows\System32\svchost.exe

Target Process:

Target Process ID: 0x7e8
Target Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe

New Token Information:

Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.