Windows Security Log Event ID 4799

Operating Systems Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Account Management
 • Security Group Management
Type Success
Corresponding events
in Windows 2003
and before

4799: A security-enabled local group membership was enumerated

On this page

Windows logs this event when a process enumerates the members of the specified local group on that computer.

In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local group Users to view its members. That triggered the event. But the same event is logged by other methods such as "net local group".

This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.

This event has not yet been tested on a domain controller or on a domain joined PC.  But MS says "This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in."

Free Security Log Resources by Randy

Description Fields in 4799


This is who performed the enumeration.

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID as logged in 4624


This is the group whose membership was enumerated.

  • Security ID
  • Group Name
  • Group Domain

Process Information:

  • Process ID is the process ID specified when the executable started as logged in 4688.
  • Process Name: identifies the program executable that performed the enumeration. 

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.



Examples of 4799

A security-enabled local group membership was enumerated.

   Security ID: AzureAD\RandyFranklinSmith
   Account Name: RandyFranklinSmith
   Account Domain: AzureAD
   Logon ID: 0x7A1EA

   Security ID: DESKTOP-TMO9MI9\Users
   Group Name: Users
   Group Domain: DESKTOP-TMO9MI9

Process Information:
   Process ID: 0x106c
   Process Name: C:\Windows\System32\mmc.exe

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources