ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security operations center showing Event Viewer with privilege monitoring and security audit logs
Event ID 4674InformationSecurityWindows

Windows Event ID 4674 – Security: Privileged Object Operation Attempted

Event ID 4674 logs when a user or process attempts to perform a privileged operation on a protected object, providing detailed audit information for security monitoring and compliance tracking.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4674Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4674 represents one of the most detailed privilege usage audit events in the Windows security logging framework. When Windows security subsystem detects that a process or user account is exercising a specific privilege to perform an operation on a protected object, it generates this comprehensive audit record. The event captures not just the fact that a privilege was used, but provides extensive context about the operation including the privilege name, target object, process details, and security identifiers.

The event structure contains multiple fields that security professionals use for analysis. The Subject section identifies who performed the action with SID, account name, and domain information. The Privilege Information section specifies exactly which privilege was exercised, such as SeBackupPrivilege, SeDebugPrivilege, or SeSystemtimePrivilege. The Object section provides details about the target of the privileged operation, including object server, type, and name when available.

In enterprise environments, Event ID 4674 serves as a cornerstone for privilege abuse detection and compliance reporting. Security Information and Event Management (SIEM) systems parse these events to identify patterns indicating potential insider threats or compromised accounts. The granular nature of the logged information allows security teams to distinguish between legitimate administrative activities and suspicious privilege usage that might indicate an attack in progress.

The frequency and volume of Event ID 4674 events can be substantial in active Windows environments, particularly on domain controllers and file servers where privileged operations occur regularly. Proper log management and filtering strategies are essential to extract actionable intelligence from the event stream while maintaining system performance and storage efficiency.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User account exercising backup and restore privileges (SeBackupPrivilege, SeRestorePrivilege)
  • Process using debug privileges to attach to or examine other processes (SeDebugPrivilege)
  • System time modification operations requiring SeSystemtimePrivilege
  • Service account performing privileged operations during normal service execution
  • Administrative tools accessing protected system objects or registry keys
  • Backup software reading files that require special privileges to access
  • Security software or antivirus performing deep system scans with elevated privileges
  • System maintenance tasks requiring SeShutdownPrivilege or SeLoadDriverPrivilege
  • User or process attempting to take ownership of files or objects (SeTakeOwnershipPrivilege)
  • Applications performing operations that require SeCreateTokenPrivilege or SeAssignPrimaryTokenPrivilege
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4674 entries to understand what privileges are being used and by whom.

  1. Open Event Viewer by pressing Windows + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 4674 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4674 entries to examine details
  6. Focus on these key fields in the event details:
    • Subject: Account Name, Account Domain, Logon ID
    • Privilege: The specific privilege being used
    • Object: Object Server, Object Type, Object Name
    • Process Information: Process ID and Process Name
  7. Look for patterns in privilege usage, unusual account activity, or unexpected processes exercising privileges
Pro tip: Sort events by time to identify clusters of privilege usage that might indicate automated processes or potential security incidents.
02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze Event ID 4674 data programmatically for better pattern recognition.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4674 entries with detailed filtering:
# Get last 100 Event ID 4674 entries with key details
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4674} -MaxEvents 100 | 
  ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
      TimeCreated = $_.TimeCreated
      SubjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
      SubjectDomainName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
      PrivilegeName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
      ObjectName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
      ProcessName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    }
  } | Format-Table -AutoSize
  1. Analyze privilege usage patterns by grouping common activities:
# Group events by privilege to identify most used privileges
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4674} -MaxEvents 1000 | 
  ForEach-Object {
    $xml = [xml]$_.ToXml()
    $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
  } | Group-Object | Sort-Object Count -Descending
  1. Export results to CSV for further analysis in Excel or other tools:
# Export detailed privilege usage to CSV
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4674} -MaxEvents 500 | 
  ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
      TimeCreated = $_.TimeCreated
      SubjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
      PrivilegeName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
      ProcessName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    }
  } | Export-Csv -Path "C:\Temp\Event4674_Analysis.csv" -NoTypeInformation
03

Configure Advanced Audit Policy Settings

Properly configure audit policies to ensure Event ID 4674 captures the right level of detail for your security monitoring needs.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies
  3. Expand Privilege Use and configure these settings:
    • Audit Sensitive Privilege Use: Set to Success to log successful privilege usage
    • Audit Non Sensitive Privilege Use: Set to Success and Failure for comprehensive monitoring
  4. Use PowerShell to verify current audit settings:
# Check current privilege use audit settings
auditpol /get /subcategory:"Sensitive Privilege Use"
auditpol /get /subcategory:"Non Sensitive Privilege Use"
  1. Configure specific privilege monitoring using the registry if needed:
# Enable audit for specific privileges (requires restart)
$regPath = "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit"
Set-ItemProperty -Path $regPath -Name "FullPrivilegeAuditing" -Value @("SeBackupPrivilege", "SeDebugPrivilege", "SeSystemtimePrivilege") -Type MultiString
  1. Apply the policy and verify Event ID 4674 generation:
# Force group policy update
gpupdate /force

# Test privilege usage to generate Event ID 4674
# This command requires SeSystemtimePrivilege and will generate the event
w32tm /resync
Warning: Enabling comprehensive privilege auditing can generate significant log volume. Monitor disk space and consider log forwarding to a centralized logging system.
04

Implement Automated Monitoring and Alerting

Set up automated monitoring to detect suspicious privilege usage patterns and potential security incidents.

  1. Create a PowerShell script for continuous monitoring of high-risk privilege usage:
# Create monitoring script: Monitor-PrivilegeUse.ps1
$HighRiskPrivileges = @(
    'SeDebugPrivilege',
    'SeBackupPrivilege', 
    'SeRestorePrivilege',
    'SeTakeOwnershipPrivilege',
    'SeLoadDriverPrivilege'
)

$LastCheck = (Get-Date).AddHours(-1)

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4674
    StartTime=$LastCheck
} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $privilege = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
    $user = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $process = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    
    if ($privilege -in $HighRiskPrivileges) {
        Write-Warning "High-risk privilege usage detected: $privilege by $user in process $process at $($_.TimeCreated)"
        # Add alerting logic here (email, SIEM integration, etc.)
    }
}
  1. Set up a scheduled task to run the monitoring script:
# Create scheduled task for privilege monitoring
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-PrivilegeUse.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

Register-ScheduledTask -TaskName "Monitor-PrivilegeUse" -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal
  1. Configure Windows Event Forwarding for centralized collection:
# Configure event forwarding subscription (on collector server)
wecutil cs subscription.xml

# Example subscription.xml content for Event ID 4674:
# <?xml version="1.0" encoding="UTF-8"?>
# <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
#   <SubscriptionId>PrivilegeUseCollection</SubscriptionId>
#   <Query>
#     <![CDATA[
#       <QueryList>
#         <Query Id="0">
#           <Select Path="Security">*[System[EventID=4674]]</Select>
#         </Query>
#       </QueryList>
#     ]]>
#   </Query>
# </Subscription>
  1. Create custom Event Viewer views for security analysis:
# Create custom view XML for Event Viewer
$CustomViewXML = @"
<ViewerConfig>
  <QueryConfig>
    <QueryParams>
      <Simple>
        <Channel>Security</Channel>
        <EventId>4674</EventId>
        <RelativeTimeInfo>604800000</RelativeTimeInfo>
      </Simple>
    </QueryParams>
  </QueryConfig>
</ViewerConfig>
"@

# Save to file for import into Event Viewer
$CustomViewXML | Out-File -FilePath "C:\Temp\PrivilegeUseView.xml" -Encoding UTF8
05

Advanced Forensic Analysis and Correlation

Perform deep forensic analysis of Event ID 4674 data to identify security incidents and attack patterns.

  1. Create a comprehensive analysis script that correlates privilege usage with other security events:
# Advanced correlation analysis script
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date

# Get all Event ID 4674 entries for analysis period
$PrivilegeEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4674
    StartTime=$StartTime
    EndTime=$EndTime
} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserSid = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserSid'} | Select-Object -ExpandProperty '#text'
        SubjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        SubjectLogonId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'} | Select-Object -ExpandProperty '#text'
        PrivilegeName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
        ObjectName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
        ProcessId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
        ProcessName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    }
}

# Analyze privilege usage patterns
$SuspiciousPatterns = $PrivilegeEvents | Group-Object SubjectUserName | Where-Object {
    $_.Count -gt 100 -or  # High volume of privilege usage
    ($_.Group.PrivilegeName | Sort-Object -Unique).Count -gt 5  # Using many different privileges
}

Write-Host "Potentially suspicious privilege usage patterns:"
$SuspiciousPatterns | ForEach-Object {
    Write-Host "User: $($_.Name), Event Count: $($_.Count), Unique Privileges: $(($_.Group.PrivilegeName | Sort-Object -Unique).Count)"
}
  1. Correlate with logon events to identify privilege escalation attempts:
# Correlate privilege usage with logon events
$LogonEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=@(4624, 4625)  # Successful and failed logons
    StartTime=$StartTime
    EndTime=$EndTime
}

# Find users who had failed logons followed by privilege usage
$CorrelatedEvents = foreach ($privEvent in $PrivilegeEvents) {
    $relatedLogons = $LogonEvents | Where-Object {
        $xml = [xml]$_.ToXml()
        $logonUser = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        $logonUser -eq $privEvent.SubjectUserName -and
        $_.TimeCreated -le $privEvent.TimeCreated -and
        $_.TimeCreated -ge $privEvent.TimeCreated.AddHours(-1)
    }
    
    if ($relatedLogons) {
        [PSCustomObject]@{
            User = $privEvent.SubjectUserName
            PrivilegeTime = $privEvent.TimeCreated
            Privilege = $privEvent.PrivilegeName
            RelatedLogons = $relatedLogons.Count
            Process = $privEvent.ProcessName
        }
    }
}

$CorrelatedEvents | Format-Table -AutoSize
  1. Generate comprehensive security report:
# Generate detailed security analysis report
$ReportData = @{
    AnalysisPeriod = "$StartTime to $EndTime"
    TotalPrivilegeEvents = $PrivilegeEvents.Count
    UniqueUsers = ($PrivilegeEvents.SubjectUserName | Sort-Object -Unique).Count
    UniquePrivileges = ($PrivilegeEvents.PrivilegeName | Sort-Object -Unique).Count
    TopPrivileges = $PrivilegeEvents | Group-Object PrivilegeName | Sort-Object Count -Descending | Select-Object -First 10
    TopUsers = $PrivilegeEvents | Group-Object SubjectUserName | Sort-Object Count -Descending | Select-Object -First 10
    SuspiciousActivity = $SuspiciousPatterns
}

# Export comprehensive report
$ReportData | ConvertTo-Json -Depth 3 | Out-File -FilePath "C:\Temp\PrivilegeUseReport_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"

Write-Host "Security analysis complete. Report saved to C:\Temp\"
Pro tip: Integrate this analysis with your SIEM system by exporting results in CEF or LEEF format for automated threat detection and response workflows.

Overview

Event ID 4674 fires whenever a user account or process attempts to perform a privileged operation on a protected system object. This security audit event captures detailed information about privilege usage, including the specific privilege exercised, the target object, and the security context of the operation. Windows generates this event as part of the advanced audit policy for privilege use, making it essential for security monitoring and compliance frameworks like SOX, HIPAA, and PCI-DSS.

The event appears in the Security log when advanced audit policies are enabled, specifically under the "Audit Privilege Use" subcategory. Unlike basic privilege monitoring, Event ID 4674 provides granular details about which specific privileges were used and against what objects. This makes it invaluable for detecting privilege escalation attempts, unauthorized administrative actions, and insider threats. Security teams rely on this event to track sensitive operations like backup privileges, debug privileges, and system time changes.

Modern Windows environments in 2026 generate thousands of these events daily on busy systems, requiring proper filtering and correlation to extract meaningful security intelligence. The event structure includes process information, privilege details, and object access context that security analysts use for forensic investigations.

Frequently Asked Questions

What does Event ID 4674 mean and why is it important for security?+
Event ID 4674 indicates that a user account or process has successfully exercised a specific privilege to perform an operation on a protected object. This event is crucial for security monitoring because it provides detailed audit trails of privilege usage, helping detect privilege escalation attacks, insider threats, and unauthorized administrative activities. The event captures granular information including which privilege was used, by whom, against what object, and through which process, making it invaluable for forensic investigations and compliance reporting.
How can I reduce the volume of Event ID 4674 events without losing security visibility?+
To manage Event ID 4674 volume while maintaining security visibility, configure audit policies to focus on sensitive privileges only by enabling 'Audit Sensitive Privilege Use' instead of 'Audit Non Sensitive Privilege Use'. Use Group Policy to exclude routine system processes from generating these events, implement log forwarding to centralized storage with retention policies, and create filtered views that focus on high-risk privileges like SeDebugPrivilege, SeBackupPrivilege, and SeTakeOwnershipPrivilege. Consider using PowerShell scripts to aggregate and summarize routine privilege usage while alerting on anomalous patterns.
Which privileges in Event ID 4674 should I monitor most closely for security threats?+
Focus monitoring on these high-risk privileges: SeDebugPrivilege (process debugging and memory access), SeBackupPrivilege and SeRestorePrivilege (file system bypass), SeTakeOwnershipPrivilege (object ownership changes), SeLoadDriverPrivilege (kernel driver loading), SeSystemtimePrivilege (system time manipulation), SeCreateTokenPrivilege (token creation), and SeAssignPrimaryTokenPrivilege (token assignment). These privileges can be abused for privilege escalation, data exfiltration, persistence mechanisms, and system compromise. Unusual usage patterns, especially by non-administrative accounts or during off-hours, warrant immediate investigation.
How do I correlate Event ID 4674 with other Windows security events for better threat detection?+
Correlate Event ID 4674 with Event ID 4624/4625 (logon events) to identify privilege usage following suspicious logon attempts, Event ID 4648 (explicit credential use) to detect lateral movement, Event ID 4688 (process creation) to understand the context of privilege usage, and Event ID 4656/4658 (object access) to see what resources were accessed with elevated privileges. Use PowerShell or SIEM tools to create time-based correlations within 1-5 minute windows. Look for patterns like failed logons followed by privilege usage, unusual process chains exercising multiple privileges, or privilege usage from unexpected network locations.
What should I do if I detect suspicious privilege usage in Event ID 4674?+
When suspicious privilege usage is detected, immediately isolate the affected account by disabling it or changing passwords, review all recent activities by that account across systems, examine the process that exercised the privilege for signs of malware, check for persistence mechanisms like scheduled tasks or registry modifications, analyze network traffic for data exfiltration attempts, and review file access logs for unauthorized data access. Document all findings for incident response, preserve relevant log files and memory dumps for forensic analysis, and implement additional monitoring on related accounts and systems. Consider engaging incident response teams for sophisticated attacks involving multiple privilege escalations.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive documentation of Windows security audit events including Event ID 4674 and privilege use monitoring configuration.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial guide to configuring advanced audit policies for privilege use monitoring and security event generation.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4674#security-auditing#privilege-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...