ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event ID 4673 privilege usage logs in a cybersecurity operations center
Event ID 4673InformationSecurityWindows

Windows Event ID 4673 – Security: Sensitive Privilege Use

Event ID 4673 logs when a user or process attempts to use a sensitive privilege on Windows systems. This security audit event helps track privileged operations and potential security risks.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4673Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4673 represents a critical component of Windows security auditing infrastructure, specifically designed to monitor sensitive privilege usage across the operating system. When this event fires, it indicates that a user account, service, or process has attempted to exercise a privilege that Windows considers sensitive from a security perspective.

The event captures detailed contextual information including the Security Identifier (SID) of the requesting entity, the process name and ID, the specific privilege being used, and the target object if applicable. This comprehensive logging enables security teams to reconstruct privilege usage patterns and identify potential security violations or policy breaches.

Windows generates this event through its Local Security Authority (LSA) subsystem, which manages privilege assignments and usage tracking. The event only appears when advanced audit policies are properly configured, specifically the 'Audit Privilege Use' policy under the 'Privilege Use' category. Without proper audit configuration, these critical security events remain invisible to administrators.

The significance of Event ID 4673 extends beyond basic monitoring. In regulated environments, this event provides essential audit trails for compliance frameworks like SOX, HIPAA, and PCI-DSS. Security teams use these logs to detect insider threats, unauthorized privilege escalation, and sophisticated attack techniques that rely on legitimate Windows privileges to avoid detection.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User or service account exercising SeDebugPrivilege to attach to processes
  • Backup software using SeBackupPrivilege or SeRestorePrivilege for file operations
  • Administrative tools accessing SeSecurityPrivilege for security log management
  • System services utilizing SeTcbPrivilege for trusted computing base operations
  • Applications requesting SeLoadDriverPrivilege to load kernel drivers
  • Security software using SeAuditPrivilege to generate audit events
  • Virtualization platforms exercising SeCreateTokenPrivilege for token manipulation
  • Malware attempting privilege escalation through sensitive privilege abuse
  • Legitimate administrative tasks requiring elevated system privileges
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4673 entries to understand the privilege usage context:

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4673 using the filter option in the Actions pane
  3. Double-click on recent 4673 events to examine details
  4. Note the following key fields in the event description:
    • Subject: User account and SID performing the action
    • Process Information: Process name and ID using the privilege
    • Privilege: Specific privilege being exercised
    • Object: Target object if applicable
  5. Cross-reference the timestamp with other security events for context

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4673} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
Pro tip: Look for patterns in process names and user accounts to identify legitimate versus suspicious privilege usage.
02

Analyze Privilege Usage Patterns with PowerShell

Use PowerShell to analyze privilege usage trends and identify anomalies:

  1. Extract and group privilege usage by user account:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4673; StartTime=(Get-Date).AddDays(-7)}
$Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        ProcessName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
        Privilege = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
    }
} | Group-Object User, Privilege | Sort-Object Count -Descending
  1. Identify unusual privilege combinations or high-frequency usage:
# Find processes using multiple sensitive privileges
$PrivilegeUsage = $Events | Group-Object ProcessName | Where-Object {$_.Count -gt 10}
$PrivilegeUsage | Select-Object Name, Count | Format-Table
  1. Check for privilege usage outside business hours:
$Events | Where-Object {$_.TimeCreated.Hour -lt 8 -or $_.TimeCreated.Hour -gt 18} | Select-Object TimeCreated, User, ProcessName
Warning: High volumes of Event ID 4673 from unexpected processes may indicate malware or unauthorized administrative activity.
03

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture all sensitive privilege usage:

  1. Open Local Group Policy Editor (gpedit.msc) or Group Policy Management Console
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Privilege Use and configure the following policies:
    • Audit Sensitive Privilege Use: Enable for Success and Failure
    • Audit Non Sensitive Privilege Use: Enable for Failure (optional)
  4. Apply the policy and run gpupdate /force to refresh settings

Verify audit policy configuration using PowerShell:

# Check current audit policy settings
auditpol /get /category:"Privilege Use"

# Enable sensitive privilege use auditing
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
  1. Configure Security log size to accommodate increased event volume:
# Increase Security log maximum size to 100MB
wevtutil sl Security /ms:104857600

# Set log retention policy
wevtutil sl Security /rt:false

Registry path for manual configuration: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security

Pro tip: In high-volume environments, consider forwarding Event ID 4673 to a centralized SIEM system to prevent local log overflow.
04

Investigate Specific Privilege Abuse Scenarios

Focus investigation on high-risk privilege usage patterns that indicate potential security threats:

  1. Monitor SeDebugPrivilege usage for process injection attempts:
# Find SeDebugPrivilege usage by non-system processes
$DebugEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4673} | Where-Object {
    $_.Message -like '*SeDebugPrivilege*' -and $_.Message -notlike '*SYSTEM*'
}
$DebugEvents | Select-Object TimeCreated, @{n='User';e={($_.Message -split '\n' | Select-String 'Account Name:')[0] -replace '.*Account Name:\s*',''}}
  1. Check for SeBackupPrivilege abuse in unauthorized file access:
# Correlate backup privilege usage with file access events
$BackupEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4673} | Where-Object {$_.Message -like '*SeBackupPrivilege*'}
$FileAccess = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4656,4658} -MaxEvents 1000

# Find temporal correlation between backup privilege and sensitive file access
$BackupEvents | ForEach-Object {
    $BackupTime = $_.TimeCreated
    $RelatedAccess = $FileAccess | Where-Object {
        [Math]::Abs(($_.TimeCreated - $BackupTime).TotalMinutes) -lt 5
    }
    if ($RelatedAccess) {
        Write-Host "Potential backup privilege abuse at $BackupTime"
    }
}
  1. Analyze SeLoadDriverPrivilege for malicious driver loading:
# Monitor driver loading privilege usage
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4673} | Where-Object {
    $_.Message -like '*SeLoadDriverPrivilege*'
} | Select-Object TimeCreated, @{n='ProcessName';e={($_.Message -split '\n' | Select-String 'Process Name:')[0] -replace '.*Process Name:\s*',''}}
  1. Cross-reference with Windows Defender and system integrity events:
# Check for correlation with security software alerts
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'} -MaxEvents 100 | Where-Object {
    $_.TimeCreated -gt (Get-Date).AddHours(-24)
}
Warning: SeDebugPrivilege usage by unexpected processes often indicates malware attempting process hollowing or code injection techniques.
05

Implement Automated Monitoring and Alerting

Set up proactive monitoring for Event ID 4673 to detect privilege abuse in real-time:

  1. Create a scheduled task to monitor high-risk privilege usage:
# Create monitoring script
$MonitorScript = @'
$SensitivePrivileges = @('SeDebugPrivilege', 'SeLoadDriverPrivilege', 'SeTcbPrivilege')
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4673; StartTime=(Get-Date).AddMinutes(-15)}

foreach ($Event in $Events) {
    $xml = [xml]$Event.ToXml()
    $Privilege = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
    $User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $Process = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    
    if ($Privilege -in $SensitivePrivileges -and $User -ne 'SYSTEM') {
        Write-EventLog -LogName Application -Source 'PrivilegeMonitor' -EventId 1001 -EntryType Warning -Message "Sensitive privilege $Privilege used by $User in process $Process"
    }
}
'@

# Save script and create scheduled task
$MonitorScript | Out-File -FilePath 'C:\Scripts\PrivilegeMonitor.ps1'
Register-ScheduledTask -TaskName 'PrivilegeMonitor' -Trigger (New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -Once -At (Get-Date)) -Action (New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\PrivilegeMonitor.ps1')
  1. Configure Windows Event Forwarding for centralized monitoring:
# Configure WinRM for event forwarding
winrm quickconfig -q
wecutil qc /q

# Create subscription for Event ID 4673
$SubscriptionXML = @'

    PrivilegeUseMonitoring
    SourceInitiated
    Monitor sensitive privilege usage across domain
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Normal
    
            
                
            
        
    ]]>

'@

$SubscriptionXML | Out-File -FilePath 'C:\Temp\PrivilegeSubscription.xml'
wecutil cs 'C:\Temp\PrivilegeSubscription.xml'
  1. Set up email alerts for critical privilege usage:
# Create alert script with email notification
$AlertScript = @'
param($EventID, $User, $Privilege, $Process)

$SMTPServer = "mail.company.com"
$From = "security-alerts@company.com"
$To = "security-team@company.com"
$Subject = "ALERT: Sensitive Privilege Usage Detected"
$Body = "Event ID: $EventID`nUser: $User`nPrivilege: $Privilege`nProcess: $Process`nTime: $(Get-Date)"

Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Subject $Subject -Body $Body
'@

$AlertScript | Out-File -FilePath 'C:\Scripts\PrivilegeAlert.ps1'
Pro tip: Integrate Event ID 4673 monitoring with your SIEM solution using Windows Event Forwarding or PowerShell-based log shipping for comprehensive security visibility.

Overview

Event ID 4673 fires whenever a user account or process attempts to use a sensitive privilege on a Windows system. This security audit event is part of Windows' privilege use auditing subsystem and appears in the Security event log when advanced audit policies are enabled. The event captures attempts to exercise high-level system privileges such as SeDebugPrivilege, SeBackupPrivilege, or SeRestorePrivilege.

This event is crucial for security monitoring because it tracks when users or processes attempt to perform privileged operations that could affect system security or stability. Unlike Event ID 4672 which logs special logon privileges, Event ID 4673 specifically monitors the actual use of sensitive privileges during runtime operations. System administrators rely on this event to detect privilege escalation attempts, unauthorized administrative actions, and compliance violations.

The event generates automatically when Windows detects privilege use attempts, regardless of whether the operation succeeds or fails. Each instance includes detailed information about the requesting process, user context, and specific privilege being exercised. This granular logging makes Event ID 4673 essential for forensic analysis and security incident response in enterprise environments.

Frequently Asked Questions

What does Event ID 4673 mean and why is it important?+
Event ID 4673 indicates that a user or process has attempted to use a sensitive privilege on a Windows system. This event is crucial for security monitoring because it tracks when high-level system privileges like SeDebugPrivilege, SeBackupPrivilege, or SeLoadDriverPrivilege are exercised. These privileges can be abused by malware for privilege escalation, process injection, or unauthorized system access. The event provides detailed information about who used the privilege, which process requested it, and when it occurred, making it essential for detecting insider threats and advanced persistent threats.
How do I enable Event ID 4673 logging on my Windows systems?+
Event ID 4673 requires enabling the 'Audit Sensitive Privilege Use' policy under Advanced Audit Policy Configuration. Navigate to Group Policy Editor → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Privilege Use, then enable 'Audit Sensitive Privilege Use' for both Success and Failure events. You can also use the command 'auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable' to configure this via PowerShell. Without this audit policy enabled, Windows will not generate Event ID 4673 entries.
Which privileges are considered 'sensitive' and trigger Event ID 4673?+
Windows considers several privileges as sensitive, including SeDebugPrivilege (debug programs), SeBackupPrivilege (backup files and directories), SeRestorePrivilege (restore files and directories), SeLoadDriverPrivilege (load and unload device drivers), SeTcbPrivilege (act as part of the operating system), SeSecurityPrivilege (manage auditing and security log), and SeCreateTokenPrivilege (create a token object). These privileges can significantly impact system security and are often targeted by attackers for privilege escalation. The specific privilege being used is recorded in the event details under the 'Privilege' field.
How can I distinguish between legitimate and suspicious Event ID 4673 entries?+
Legitimate Event ID 4673 entries typically come from known system processes, scheduled backup software, or administrative tools during business hours. Suspicious indicators include: privilege usage by unexpected processes, SeDebugPrivilege use by non-system accounts, privilege escalation outside normal business hours, multiple sensitive privileges used by the same process in short timeframes, or privilege usage correlated with other security events like failed logons or malware detections. Establish baselines of normal privilege usage patterns and investigate deviations. Cross-reference the process names and user accounts with your organization's approved software and administrative procedures.
What should I do if I find suspicious Event ID 4673 entries indicating potential privilege abuse?+
If you discover suspicious Event ID 4673 entries, immediately isolate the affected system from the network to prevent lateral movement. Document all event details including timestamps, user accounts, process names, and privileges used. Correlate these events with other security logs (Event IDs 4624, 4625, 4656, 4658) to understand the full attack timeline. Run antimalware scans and check for persistence mechanisms like scheduled tasks or registry modifications. Analyze the suspicious processes using tools like Process Monitor or Autoruns. If the activity appears to be an active attack, engage your incident response team and consider forensic imaging of the affected system before remediation.
Documentation

References (2)

1
Microsoft Security Auditing DocumentationComprehensive guide to Windows security event auditing including Event ID 4673 and privilege use monitoringhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/auditing-security-events
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including sensitive privilege use auditinghttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4673#security-auditing#privilege-escalation

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...