ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event ID 4672 privilege assignment logs in a professional SOC environment
Event ID 4672InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4672 – Security: Special Privileges Assigned to New Logon

Event ID 4672 fires when Windows assigns special privileges to a new user logon session, indicating elevated access rights have been granted to an account.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4672Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4672 represents a fundamental security audit event that documents the assignment of special privileges during user logon sessions. When a user successfully authenticates and Windows determines that the account requires elevated privileges, the system generates this event to create an audit trail of privileged access.

The event fires after Event ID 4624 (successful logon) but before the user session becomes fully active. Windows evaluates the account's group memberships, assigned user rights, and security policies to determine which special privileges to grant. These privileges include sensitive rights like SeDebugPrivilege, SeBackupPrivilege, SeRestorePrivilege, and others that allow system-level operations.

The event structure includes the logon ID that correlates with the initial authentication event, the account name and domain, and a comprehensive list of assigned privileges. This correlation capability makes Event ID 4672 invaluable for security investigations, allowing analysts to trace the complete privilege assignment chain from initial logon through elevated operations.

Modern Windows systems generate thousands of these events daily in enterprise environments, making proper filtering and analysis crucial for effective security monitoring. The event's consistent structure and reliable generation make it a cornerstone of Windows security auditing frameworks.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator account logon (local or domain administrators)
  • Service account startup with elevated privileges
  • User account with assigned special logon rights through Group Policy
  • System account processes requiring privileged operations
  • Backup operators, print operators, or other privileged group members logging on
  • Applications running with elevated privileges through UAC or RunAs
  • Scheduled tasks executing with system or administrative privileges
  • Remote desktop connections using privileged accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific privileges assigned and correlating with the logon session:

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4672 using the filter option
  3. Double-click the event to view detailed information
  4. Note the Logon ID field - this correlates with Event ID 4624
  5. Review the Privileges section to see which special rights were assigned
  6. Check the Account Name and Account Domain fields
  7. Cross-reference the timestamp with other security events

Look for unusual privilege assignments or accounts that shouldn't have elevated rights. The Logon ID allows you to trace the complete session from authentication through privilege usage.

02

PowerShell Analysis and Correlation

Use PowerShell to analyze 4672 events and correlate with logon events:

# Get recent 4672 events with details
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} -MaxEvents 50 | 
  Select-Object TimeCreated, @{Name='Account';Expression={$_.Properties[1].Value}}, 
  @{Name='LogonID';Expression={$_.Properties[3].Value}}, 
  @{Name='Privileges';Expression={$_.Properties[4].Value}}

# Correlate with logon events (4624)
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 100
$PrivEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} -MaxEvents 100

# Match by Logon ID
$LogonEvents | ForEach-Object {
  $LogonID = $_.Properties[7].Value
  $MatchingPriv = $PrivEvents | Where-Object {$_.Properties[3].Value -eq $LogonID}
  if ($MatchingPriv) {
    [PSCustomObject]@{
      Time = $_.TimeCreated
      Account = $_.Properties[5].Value
      LogonType = $_.Properties[8].Value
      Privileges = $MatchingPriv.Properties[4].Value
    }
  }
}

This correlation reveals which accounts are receiving elevated privileges and through what logon methods.

03

Monitor Specific Privilege Assignments

Create targeted monitoring for sensitive privilege assignments:

# Monitor for dangerous privileges
$DangerousPrivs = @('SeDebugPrivilege', 'SeBackupPrivilege', 'SeRestorePrivilege', 
                    'SeTakeOwnershipPrivilege', 'SeLoadDriverPrivilege')

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} -MaxEvents 200 | 
  Where-Object {
    $PrivilegeText = $_.Properties[4].Value
    $DangerousPrivs | Where-Object {$PrivilegeText -like "*$_*"}
  } | Select-Object TimeCreated, 
    @{Name='Account';Expression={$_.Properties[1].Value}}, 
    @{Name='Domain';Expression={$_.Properties[2].Value}}, 
    @{Name='Privileges';Expression={$_.Properties[4].Value}}

# Set up continuous monitoring
Register-WinEvent -Query "*[System[EventID=4672]]" -Action {
  $Event = $Event.SourceEventArgs.NewEvent
  $Account = $Event.Properties[1].Value
  $Privileges = $Event.Properties[4].Value
  
  if ($Privileges -match 'SeDebugPrivilege|SeBackupPrivilege') {
    Write-Host "ALERT: Sensitive privilege assigned to $Account at $(Get-Date)" -ForegroundColor Red
  }
}

This approach focuses on the most security-sensitive privileges that could indicate compromise or policy violations.

04

Investigate User Rights Assignment Policies

Check Group Policy and local security policies that grant special privileges:

  1. Open Local Security Policy (secpol.msc) or Group Policy Management
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
  3. Review policies like:
    • Log on as a service (SeServiceLogonRight)
    • Back up files and directories (SeBackupPrivilege)
    • Debug programs (SeDebugPrivilege)
    • Load and unload device drivers (SeLoadDriverPrivilege)
  4. Check which accounts or groups are assigned these rights
  5. Use PowerShell to audit current assignments:
# Export current user rights assignments
secedit /export /cfg C:\temp\current_rights.inf
Get-Content C:\temp\current_rights.inf | Select-String "Se.*Privilege"

# Check specific privilege assignments
whoami /priv

# For remote systems
Invoke-Command -ComputerName SERVER01 -ScriptBlock {
  secedit /export /cfg C:\temp\rights.inf
  Get-Content C:\temp\rights.inf | Select-String "SeBackupPrivilege|SeDebugPrivilege"
}

Compare the policy assignments with the accounts generating 4672 events to identify unauthorized privilege grants.

05

Advanced Forensic Analysis and Baseline Comparison

Perform comprehensive analysis for security investigations:

# Create privilege assignment baseline
$BaselineDate = (Get-Date).AddDays(-30)
$Baseline = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=$BaselineDate} | 
  Group-Object @{Expression={$_.Properties[1].Value + ':' + $_.Properties[4].Value}} | 
  Select-Object Name, Count

# Compare current activity to baseline
$Recent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} -MaxEvents 500 | 
  Group-Object @{Expression={$_.Properties[1].Value + ':' + $_.Properties[4].Value}} | 
  Select-Object Name, Count

# Identify anomalies
$Anomalies = Compare-Object $Baseline $Recent -Property Name -IncludeEqual | 
  Where-Object {$_.SideIndicator -eq '=>'}

if ($Anomalies) {
  Write-Host "New privilege assignments detected:" -ForegroundColor Yellow
  $Anomalies | ForEach-Object {Write-Host $_.Name -ForegroundColor Red}
}

# Deep dive analysis
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} -MaxEvents 1000 | 
  ForEach-Object {
    [PSCustomObject]@{
      Time = $_.TimeCreated
      Account = $_.Properties[1].Value
      Domain = $_.Properties[2].Value
      LogonID = $_.Properties[3].Value
      PrivilegeCount = ($_.Properties[4].Value -split '\r\n' | Measure-Object).Count
      HasDebugPriv = $_.Properties[4].Value -like '*SeDebugPrivilege*'
      HasBackupPriv = $_.Properties[4].Value -like '*SeBackupPrivilege*'
    }
  } | Export-Csv -Path "C:\temp\privilege_analysis.csv" -NoTypeInformation

This method establishes normal privilege assignment patterns and identifies deviations that may indicate security issues or policy changes.

Overview

Event ID 4672 fires immediately after a successful logon when Windows assigns special privileges to the new session. This event appears in the Security log and indicates that the logged-on account has been granted elevated rights beyond standard user permissions. The event triggers for accounts with administrative privileges, service accounts with specific rights, or users assigned special logon privileges through Group Policy.

This event is critical for security monitoring because it tracks when privileged access occurs on your systems. Every administrator logon, service startup with elevated rights, and system-level process initialization generates this event. The timing correlation with Event ID 4624 (successful logon) makes it valuable for tracking privilege escalation and monitoring administrative activity.

Security teams rely on 4672 events to detect unauthorized privilege usage, track administrative sessions, and audit compliance with least-privilege principles. The event contains detailed information about which specific privileges were assigned, making it essential for forensic investigations and security baseline monitoring.

Frequently Asked Questions

What does Event ID 4672 mean and when should I be concerned?+
Event ID 4672 indicates that Windows has assigned special privileges to a user account during logon. You should be concerned when you see this event for accounts that shouldn't have elevated privileges, during unusual hours, or when the assigned privileges include sensitive rights like SeDebugPrivilege or SeBackupPrivilege. Normal occurrences include administrator logons and service account startups, but unexpected privilege assignments may indicate compromise or policy violations.
How do I correlate Event ID 4672 with the original logon event?+
Use the Logon ID field present in both Event ID 4672 and Event ID 4624 (successful logon). The Logon ID is a unique hexadecimal value that links these events within the same session. In PowerShell, extract the Logon ID from both events and match them to see the complete authentication and privilege assignment chain. This correlation helps identify the logon method, source IP, and authentication details associated with privilege grants.
Which privileges in Event ID 4672 are most security-sensitive?+
The most security-sensitive privileges include SeDebugPrivilege (debug programs), SeBackupPrivilege (backup files and directories), SeRestorePrivilege (restore files and directories), SeTakeOwnershipPrivilege (take ownership of files), SeLoadDriverPrivilege (load device drivers), and SeImpersonatePrivilege (impersonate clients). These privileges allow system-level access and are commonly abused by attackers for privilege escalation and lateral movement.
Why am I seeing thousands of Event ID 4672 entries daily?+
High volumes of Event ID 4672 are normal in enterprise environments due to service accounts, scheduled tasks, administrative activities, and system processes requiring elevated privileges. Each administrator logon, service restart, and privileged application launch generates this event. To manage the volume, focus on filtering for specific sensitive privileges, unusual accounts, or time-based patterns rather than monitoring all 4672 events.
How can I use Event ID 4672 for compliance and security monitoring?+
Event ID 4672 is essential for compliance frameworks requiring privileged access monitoring. Create automated alerts for sensitive privilege assignments, establish baselines of normal privilege usage patterns, and correlate with logon events to track administrative sessions. Use the event data to demonstrate least-privilege compliance, detect unauthorized privilege escalation, and maintain audit trails for forensic investigations. Regular analysis helps identify accounts with excessive privileges and policy violations.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4672 and privilege assignment monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows User Rights Assignment DocumentationOfficial documentation covering user rights and privileges that trigger Event ID 4672 when assigned during logon.https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4672#windows-security#privilege-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...