Windows Security Log Event ID 576

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPrivilege Use
Type Success
Failure
Corresponding events
in Windows 2008
and Vista
4672  

576: Special privileges assigned to new logon

On this page

Some user rights (aka privileges) are exercised so frequently that the system and security log would quickly become overwhelemed if Windows were to log every single instance these "high volume" rights were used. For these rights (e.g. backup, restore, etc) Windows elects to simply note the fact that a user has such rights at the time the user logs on with this event. You will normally see event 576 in close succession to logon event 528 or 540.

Click here for an explanation of Se[privilege names].

User Name and Domain: user who just logged on.

Logon ID: corresponds to the Logon ID of the preceding event 528 or 540.

Do not confuse user rights (aka privileges) with object permissions despite the fact that MS documentation uses these terms inconsistently.

Most user rights are not logged by event 576 and instead are logged at the actual time they are exercised using either event 577 or 578..

Some of these high-volume rights can be logged each time they are exercised if you enable FullPrivilegeAuditing. To enable auditing of these privileges, add the following key

Hive: HKEY_LOCAL_MACHINE\SYSTEM

Key: System\CurrentControlSet\Control\Lsa

Name: FullPrivilegeAuditing

Type: REG_BINARY

Value: 1

Note: Events 576, 577 or 578 do not log any activity associated with Logon Rights such as the SeNetworkLogonRight.

Do not confuse events 576, 577 or 578 with events 608, 609, 620 or 621 which document rights assignment changes as opposed to the exercise of rights which is the purpose of events 576, 577 or 578
 

 User Rights

User Right
Description
SeTcbPrivilege
Act as part of the operating system
SeMachineAccountPrivilege
Add workstations to domain
SeIncreaseQuotaPrivilege
Adjust memory quotas for a process
SeBackupPrivilege
Back up files and directories
SeChangeNotifyPrivilege
Bypass traverse checking
SeSystemtimePrivilege
Change the system time
SeCreatePagefilePrivilege
Create a pagefile
SeCreateTokenPrivilege
Create a token object
SeCreatePermanentPrivilege
Create permanent shared objects
SeDebugPrivilege
Debug programs
SeEnableDelegationPrivilege
Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege
Force shutdown from a remote system
SeAuditPrivilege
Generate security audits
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
SeLoadDriverPrivilege
Load and unload device drivers
SeLockMemoryPrivilege
Lock pages in memory
SeSecurityPrivilege
Manage auditing and security log
SeSystemEnvironmentPrivilege
Modify firmware environment values
SeManageVolumePrivilege
Perform volume maintenance tasks
SeProfileSingleProcessPrivilege
Profile single process
SeSystemProfilePrivilege
Profile system performance
SeUndockPrivilege
Remove computer from docking station
SeAssignPrimaryTokenPrivilege
Replace a process level token
SeRestorePrivilege
Restore files and directories
SeShutdownPrivilege
Shut down the system
SeSyncAgentPrivilege
Synchronize directory service data
SeTakeOwnershipPrivilege
Take ownership of files or other objects

Free Security Log Resources by Randy

Description Fields in 576

  • User Name:
  • Domain:
  • Logon ID:
  • Assigned: (privileges assigned to user)

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 576

Special privileges assigned to new logon:
User Name: Fred
Domain: Acme
Logon ID:(0x0,0x10591D)
Assigned:SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources