ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event ID 4696 process token assignment logs in a professional SOC environment
Event ID 4696InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4696 – Microsoft-Windows-Security-Auditing: Primary Token Assigned to Process

Event ID 4696 records when Windows assigns a primary token to a new process during creation, providing detailed security context for process auditing and forensic analysis.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4696Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4696 represents a fundamental component of Windows security auditing infrastructure, specifically designed to track primary token assignments during process creation. When Windows creates a new process, the system must assign a primary access token that defines the security context under which the process will execute. This token contains the user's security identifier (SID), group memberships, privileges, and other security attributes that determine what resources the process can access.

The event captures comprehensive details about both the newly created process and its security context. Key information includes the target process executable path, process ID, parent process details, and complete token information including logon session ID, authentication package used, and privilege assignments. This granular data makes Event ID 4696 particularly valuable for security investigations, compliance monitoring, and behavioral analysis of system processes.

In enterprise environments, this event is crucial for detecting privilege escalation attempts, unauthorized process execution, and suspicious activity patterns. Security teams often correlate 4696 events with other audit logs to build comprehensive timelines of system activity. The event also plays a vital role in forensic investigations, providing investigators with detailed evidence of process creation activities and their associated security contexts during specific timeframes.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal process creation by users launching applications or system services
  • Scheduled tasks executing with specific user credentials or service accounts
  • Service startup and restart operations assigning tokens to service processes
  • Process creation through automation tools, scripts, or remote management systems
  • System processes spawning child processes with inherited or modified security contexts
  • Application installations creating temporary processes with elevated privileges
  • Security software or antivirus engines creating scanning processes with system-level tokens
  • Remote desktop or terminal services sessions launching user processes
  • Windows Update or system maintenance processes creating temporary worker processes
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4696 entries to understand the process creation context and security token details.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 4696 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4696 entries to examine details
  6. Review key fields including:
    • Subject: User account that created the process
    • New Process Information: Target executable and process ID
    • Token Information: Security context and privileges
    • Process Information: Parent process details

Pay special attention to processes created with elevated privileges or unusual parent-child relationships that might indicate suspicious activity.

02

Query Events with PowerShell Filtering

Use PowerShell to efficiently query and analyze Event ID 4696 entries with specific filtering criteria.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4696 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddHours(-24)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed process information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} -MaxEvents 20 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProcessName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
        ProcessId = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessId'} | Select-Object -ExpandProperty '#text'
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} -MaxEvents 100 | Export-Csv -Path "C:\Temp\Event4696_Analysis.csv" -NoTypeInformation
03

Configure Process Auditing Policy

Ensure proper audit policy configuration to capture Event ID 4696 entries with appropriate detail levels.

  1. Open Local Security Policy by running secpol.msc as Administrator
  2. Navigate to Security SettingsAdvanced Audit Policy ConfigurationAudit PoliciesDetailed Tracking
  3. Double-click Audit Process Creation
  4. Check both Success and Failure options
  5. Click OK to apply changes
  6. For Group Policy environments, configure via:
    • Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  7. Verify current audit settings with PowerShell:
    auditpol /get /category:"Detailed Tracking"
  8. Enable command line auditing for enhanced process tracking:
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
  9. Restart the system or run gpupdate /force to apply policy changes
Pro tip: Enable command line auditing to capture full command line arguments in process creation events for better forensic analysis.
04

Analyze Token Privileges and Security Context

Perform detailed analysis of security token information within Event ID 4696 to identify privilege escalation or suspicious token assignments.

  1. Extract token information from events using PowerShell:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $TokenType = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TokenType'} | Select-Object -ExpandProperty '#text'
    $ImpersonationLevel = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'ImpersonationLevel'} | Select-Object -ExpandProperty '#text'
    $NewProcessName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
    
    Write-Output "Process: $NewProcessName | Token Type: $TokenType | Impersonation: $ImpersonationLevel"
}
  2. Check for processes with elevated privileges:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} | Where-Object {
    $_.Message -match "TokenType.*Primary" -and $_.Message -match "ImpersonationLevel.*%%1833"
} | Select-Object TimeCreated, Message
  3. Identify unusual parent-child process relationships:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} -MaxEvents 50 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $ParentProcessName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'ParentProcessName'} | Select-Object -ExpandProperty '#text'
    $NewProcessName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
    
    if ($ParentProcessName -and $NewProcessName) {
        "$ParentProcessName -> $NewProcessName"
    }
} | Group-Object | Sort-Object Count -Descending
  4. Monitor for service account token assignments:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696} | Where-Object {
    $_.Message -match "SYSTEM|SERVICE|NETWORK SERVICE"
} | Select-Object TimeCreated, @{Name='ProcessInfo';Expression={($_.Message -split '\n' | Select-String 'New Process Name').ToString()}}
05

Implement Automated Monitoring and Alerting

Set up automated monitoring for Event ID 4696 to detect suspicious process creation patterns and security anomalies.

  1. Create a PowerShell monitoring script:
    # Save as Monitor-Event4696.ps1
param(
    [int]$CheckIntervalMinutes = 5,
    [string]$AlertLogPath = "C:\Logs\Event4696_Alerts.log"
)

$SuspiciousProcesses = @('powershell.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe')
$LastCheck = (Get-Date).AddMinutes(-$CheckIntervalMinutes)

while ($true) {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4696; StartTime=$LastCheck} -ErrorAction SilentlyContinue
    
    foreach ($Event in $Events) {
        $EventXml = [xml]$Event.ToXml()
        $ProcessName = $EventXml.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
        $SubjectUser = $EventXml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        
        if ($SuspiciousProcesses -contains (Split-Path $ProcessName -Leaf)) {
            $AlertMessage = "ALERT: Suspicious process creation - $ProcessName by $SubjectUser at $($Event.TimeCreated)"
            Add-Content -Path $AlertLogPath -Value $AlertMessage
            Write-Warning $AlertMessage
        }
    }
    
    $LastCheck = Get-Date
    Start-Sleep -Seconds ($CheckIntervalMinutes * 60)
}
  2. Create a scheduled task to run the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-Event4696.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserID "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable

Register-ScheduledTask -TaskName "Monitor-Event4696" -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings
  3. Set up Windows Event Forwarding for centralized monitoring:
    # On collector server
wecutil qc /q

# Create subscription configuration
$SubscriptionXml = @"

    Event4696-Collection
    SourceInitiated
    Collect Event ID 4696 from domain computers
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Normal
    
            
                
            
        
    ]]>

"@

$SubscriptionXml | Out-File -FilePath "C:\Temp\Event4696-Subscription.xml"
wecutil cs "C:\Temp\Event4696-Subscription.xml"
Warning: High-volume environments may generate thousands of Event ID 4696 entries. Implement appropriate log retention and filtering policies to manage storage requirements.

Overview

Event ID 4696 fires whenever Windows assigns a primary token to a newly created process. This security audit event captures critical information about process creation, including the security context, user credentials, and token privileges associated with the new process. The event is part of Windows' comprehensive process auditing framework and appears in the Security log when process creation auditing is enabled through Group Policy or local security policy.

This event provides forensic investigators and security administrators with detailed visibility into process spawning activities on Windows systems. Each 4696 event contains the process ID, executable path, parent process information, and the complete security token details including user SID, logon session, and privilege assignments. The event fires immediately after successful process creation but before the process begins execution, making it valuable for real-time monitoring and post-incident analysis.

Understanding Event ID 4696 is essential for security monitoring, compliance auditing, and incident response activities. The event works in conjunction with other process-related audit events like 4688 (process creation) to provide a complete picture of process lifecycle management on Windows systems.

Frequently Asked Questions

What does Event ID 4696 mean and when does it occur?+
Event ID 4696 indicates that Windows has assigned a primary access token to a newly created process. This event occurs every time a process is created on the system and captures detailed information about the security context, including user credentials, privileges, and token type. The event fires immediately after process creation but before the process begins execution, making it valuable for security monitoring and forensic analysis. It's part of Windows' comprehensive audit framework and appears in the Security log when process creation auditing is enabled.
How do I enable Event ID 4696 logging on my Windows system?+
To enable Event ID 4696 logging, you need to configure process creation auditing through Local Security Policy or Group Policy. Open secpol.msc as Administrator, navigate to Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking, and enable 'Audit Process Creation' for both Success and Failure events. In domain environments, configure this through Group Policy under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration. After enabling, run 'gpupdate /force' or restart the system to apply changes.
What information does Event ID 4696 contain that's useful for security analysis?+
Event ID 4696 contains comprehensive security information including the subject user account that created the process, target process executable path and process ID, parent process information, security token details (type, impersonation level, privileges), logon session ID, and authentication package used. This data is crucial for detecting privilege escalation attempts, unauthorized process execution, and suspicious parent-child process relationships. Security teams use this information to build process execution timelines, identify anomalous behavior patterns, and conduct forensic investigations of security incidents.
How can I filter Event ID 4696 entries to focus on suspicious activity?+
Filter Event ID 4696 entries by focusing on processes with elevated privileges, unusual parent-child relationships, or execution by service accounts. Use PowerShell to query events with specific criteria like processes created by SYSTEM or service accounts, executables launched from unusual locations (temp directories, user profiles), or processes with primary tokens that have high-privilege assignments. Look for patterns such as cmd.exe or powershell.exe spawned by unexpected parent processes, or legitimate system processes creating child processes with different security contexts than expected.
What's the difference between Event ID 4696 and Event ID 4688?+
Event ID 4696 specifically tracks primary token assignment to processes, focusing on the security context and token details, while Event ID 4688 records general process creation events with emphasis on the executable path, command line arguments, and basic process information. Event ID 4696 provides deeper security token analysis including impersonation levels, privilege assignments, and authentication context, making it more valuable for security investigations. Event ID 4688 is broader and captures all process creation activity with command line details when enabled. Both events complement each other in comprehensive process monitoring strategies.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including process creation monitoring and audit policy configuration.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsDetailed documentation on configuring advanced audit policies for detailed tracking and process creation auditing.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4696#security-auditing#process-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...