Windows Security Log Event ID 576
Operating Systems |
Windows Server 2000
Windows 2003 and XP
|
Category | Privilege Use |
Type
|
Success
Failure
|
Corresponding events
in Windows
2008 and Vista |
4672
|
576: Special privileges assigned to new logon
On this page
Some user rights (aka privileges) are exercised so frequently that the system and security log would quickly become overwhelemed if Windows were to log every single instance these "high volume" rights were used. For these rights (e.g. backup, restore, etc) Windows elects to simply note the fact that a user has such rights at the time the user logs on with this event. You will normally see event 576 in close succession to logon event 528 or 540.
Click here for an explanation of Se[privilege names].
User Name and Domain: user who just logged on.
Logon ID: corresponds to the Logon ID of the preceding event 528 or 540.
Do not confuse user rights (aka privileges) with object permissions despite the fact that MS documentation uses these terms inconsistently.
Most user rights are not logged by event 576 and instead are logged at the actual time they are exercised using either event 577 or 578..
Some of these high-volume rights can be logged each time they are exercised if you enable FullPrivilegeAuditing. To enable auditing of these privileges, add the following key
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: System\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_BINARY
Value: 1
Note: Events 576, 577 or 578 do not log any activity associated with Logon Rights such as the SeNetworkLogonRight.
Do not confuse events 576, 577 or 578 with events 608, 609, 620 or 621 which document rights assignment changes as opposed to the exercise of rights which is the purpose of events 576, 577 or 578.
User Rights
User Right
|
Description
|
SeTcbPrivilege
|
Act as part of the operating system
|
SeMachineAccountPrivilege
|
Add workstations to domain
|
SeIncreaseQuotaPrivilege
|
Adjust memory quotas for a process
|
SeBackupPrivilege
|
Back up files and directories
|
SeChangeNotifyPrivilege
|
Bypass traverse checking
|
SeSystemtimePrivilege
|
Change the system time
|
SeCreatePagefilePrivilege
|
Create a pagefile
|
SeCreateTokenPrivilege
|
Create a token object
|
SeCreatePermanentPrivilege
|
Create permanent shared objects
|
SeDebugPrivilege
|
Debug programs
|
SeEnableDelegationPrivilege
|
Enable computer and user accounts to be trusted for delegation
|
SeRemoteShutdownPrivilege
|
Force shutdown from a remote system
|
SeAuditPrivilege
|
Generate security audits
|
SeIncreaseBasePriorityPrivilege
|
Increase scheduling priority
|
SeLoadDriverPrivilege
|
Load and unload device drivers
|
SeLockMemoryPrivilege
|
Lock pages in memory
|
SeSecurityPrivilege
|
Manage auditing and security log
|
SeSystemEnvironmentPrivilege
|
Modify firmware environment values
|
SeManageVolumePrivilege
|
Perform volume maintenance tasks
|
SeProfileSingleProcessPrivilege
|
Profile single process
|
SeSystemProfilePrivilege
|
Profile system performance
|
SeUndockPrivilege
|
Remove computer from docking station
|
SeAssignPrimaryTokenPrivilege
|
Replace a process level token
|
SeRestorePrivilege
|
Restore files and directories
|
SeShutdownPrivilege
|
Shut down the system
|
SeSyncAgentPrivilege
|
Synchronize directory service data
|
SeTakeOwnershipPrivilege
|
Take ownership of files or other objects
|
Free Security Log Resources by Randy
- User Name:
- Domain:
- Logon ID:
- Assigned: (privileges assigned to user)
Supercharger Enterprise
Load Balancing for Windows Event Collection