ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with privilege adjustment logs and security alerts
Event ID 4699InformationMicrosoft-Windows-Security-AuditingWindows Security

Windows Event ID 4699 – Security: A Token Right Was Adjusted

Event ID 4699 logs when Windows adjusts user or process token privileges, typically during privilege escalation or security context changes. Critical for security auditing and privilege monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4699Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4699 represents a fundamental security audit mechanism that tracks token privilege adjustments within the Windows security subsystem. When a process or user account requires additional privileges to perform specific operations, Windows modifies the security token associated with that entity. This modification triggers Event ID 4699, creating an audit trail of privilege changes.

The event contains critical information including the target account name, the specific privileges that were adjusted, the process responsible for the change, and the security context under which the adjustment occurred. This granular detail makes it invaluable for forensic analysis and security monitoring.

Token rights adjustments commonly occur during system startup when services initialize with their required privileges, during user logons when profile-specific privileges are applied, or when applications invoke UAC to request elevated permissions. The event also fires when Group Policy changes affect user rights assignments or when security software modifies process privileges.

In enterprise environments, Event ID 4699 serves as a cornerstone for privilege monitoring strategies. Security teams configure SIEM systems to collect and analyze these events, establishing baselines for normal privilege adjustment patterns and alerting on anomalous activities that might indicate compromise or policy violations.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User logon processes applying profile-specific privileges and rights
  • Windows services starting up and acquiring necessary operational privileges
  • Applications requesting elevated privileges through User Account Control (UAC)
  • Group Policy changes affecting user rights assignments and privilege distributions
  • Security software or endpoint protection tools modifying process token privileges
  • Administrative tools like RunAs or PowerShell executing with different security contexts
  • System processes adjusting privileges during boot sequence or service initialization
  • Third-party applications or drivers requesting specific system privileges
  • Token impersonation scenarios where processes assume different user contexts
Resolution Methods

Troubleshooting Steps

01

Examine Event Details in Event Viewer

Start by reviewing the specific details of Event ID 4699 to understand what privilege was adjusted and for which account.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4699 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4699 in the Event IDs field and click OK
  5. Double-click on a 4699 event to view detailed information including:
    • Subject account name and domain
    • Target account for privilege adjustment
    • Specific privileges that were modified
    • Process name and ID responsible for the change
    • Logon ID linking to related authentication events
  6. Cross-reference the Logon ID with Event ID 4624 (successful logon) to understand the full context
Pro tip: Look for the "Privileges" field in the event details to see exactly which rights were adjusted, such as SeDebugPrivilege or SeBackupPrivilege.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze Event ID 4699 patterns and identify unusual privilege adjustment activities.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4699 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific user accounts:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} | Where-Object {$_.Message -like "*username*"} | Select-Object TimeCreated, Message
  4. Analyze privilege adjustment frequency by hour:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} -MaxEvents 1000 | Group-Object {$_.TimeCreated.Hour} | Sort-Object Name
  5. Export events for detailed analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} | Export-Csv -Path "C:\temp\Event4699_Analysis.csv" -NoTypeInformation
  6. Search for specific privilege types:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} | Where-Object {$_.Message -like "*SeDebugPrivilege*"}
Warning: High volumes of Event ID 4699 entries might indicate privilege escalation attacks or misconfigured applications requesting unnecessary privileges.
03

Correlate with Process and Logon Events

Investigate the broader context by correlating Event ID 4699 with related security events to understand the complete privilege adjustment scenario.

  1. Identify the Process ID from the Event ID 4699 details
  2. Search for process creation events (Event ID 4688) with matching Process ID:
    $ProcessID = "1234"  # Replace with actual PID from Event 4699
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*$ProcessID*"}
  3. Find related logon events using the Logon ID:
    $LogonID = "0x12345"  # Replace with actual Logon ID from Event 4699
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} | Where-Object {$_.Message -like "*$LogonID*"}
  4. Check for UAC elevation events (Event ID 4672) that might be related:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1)}
  5. Review Group Policy application events if privilege changes seem policy-related:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503}
  6. Create a timeline view of related events:
    $StartTime = (Get-Date).AddHours(-2)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699,4688,4624,4672; StartTime=$StartTime}
$Events | Sort-Object TimeCreated | Select-Object TimeCreated, Id, Message
04

Configure Advanced Auditing and Monitoring

Set up comprehensive monitoring for privilege adjustments to detect security issues and maintain compliance.

  1. Enable detailed privilege use auditing through Group Policy:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand Privilege Use and configure Audit Sensitive Privilege Use
  2. Configure registry settings for enhanced privilege auditing:
    Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -Name "FullPrivilegeAuditing" -Value 1 -Type DWord
  3. Set up Windows Event Forwarding for centralized collection:
    wecutil cs subscription.xml  # After creating appropriate subscription XML
  4. Create custom Event Viewer views for Event ID 4699 monitoring:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Set Event IDs to 4699 and configure additional filters as needed
  5. Configure PowerShell scheduled task for regular analysis:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Analyze4699Events.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "06:00AM"
Register-ScheduledTask -TaskName "Event4699Analysis" -Action $Action -Trigger $Trigger
Pro tip: Consider implementing SIEM integration to automatically correlate Event ID 4699 with threat intelligence feeds and behavioral analytics.
05

Investigate Security Implications and Remediation

Perform thorough security analysis when Event ID 4699 indicates potential privilege abuse or unauthorized access attempts.

  1. Analyze privilege escalation patterns using advanced PowerShell queries:
    $SuspiciousPrivileges = @("SeDebugPrivilege", "SeTakeOwnershipPrivilege", "SeLoadDriverPrivilege")
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} | Where-Object {
    $Message = $_.Message
    $SuspiciousPrivileges | Where-Object {$Message -like "*$_*"}
}
  2. Check for privilege adjustments outside business hours:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} | Where-Object {
    $_.TimeCreated.Hour -lt 6 -or $_.TimeCreated.Hour -gt 22
} | Select-Object TimeCreated, Message
  3. Investigate user accounts with frequent privilege adjustments:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699} -MaxEvents 1000 | ForEach-Object {
    if ($_.Message -match "Account Name:\s+([^\r\n]+)") {
        $matches[1].Trim()
    }
} | Group-Object | Sort-Object Count -Descending
  4. Review current user rights assignments:
    secedit /export /cfg C:\temp\current_rights.inf
Get-Content C:\temp\current_rights.inf | Select-String "Se.*Privilege"
  5. Implement immediate containment if suspicious activity is detected:
    • Disable affected user accounts temporarily
    • Reset passwords for compromised accounts
    • Review and revoke unnecessary privileges
    • Enable additional logging for affected systems
  6. Document findings and create incident response timeline:
    $IncidentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4699,4688,4624,4625; StartTime=(Get-Date).AddDays(-1)}
$IncidentEvents | Export-Csv -Path "C:\temp\SecurityIncident_$(Get-Date -Format 'yyyyMMdd').csv"
Warning: Unusual privilege adjustment patterns, especially involving debug or driver loading privileges, may indicate advanced persistent threats or insider attacks requiring immediate investigation.

Overview

Event ID 4699 fires when Windows Security subsystem adjusts token rights for a user account or process. This event captures privilege modifications in real-time, making it essential for security monitoring and compliance auditing. The event typically occurs during logon processes, service startups, or when applications request elevated privileges through User Account Control (UAC).

This security audit event appears in the Windows Security log and provides detailed information about which privileges were adjusted, for which account, and by what process. Security administrators rely on this event to track privilege escalation attempts, monitor service account behavior, and investigate potential security breaches.

The event becomes particularly important in environments where privilege management is critical, such as domain controllers, financial systems, or high-security networks. Understanding when and why token rights are adjusted helps maintain the principle of least privilege and detect unauthorized privilege modifications.

Frequently Asked Questions

What does Windows Event ID 4699 specifically track?+
Event ID 4699 tracks token right adjustments in Windows security subsystem. It logs when privileges are added to or removed from user accounts or process tokens, capturing details like the affected account, specific privileges modified, and the process responsible for the change. This event is crucial for monitoring privilege escalation and maintaining security audit trails.
How can I distinguish between normal and suspicious Event ID 4699 activities?+
Normal Event ID 4699 activities include service startups, user logons, and UAC elevations during business hours. Suspicious patterns include privilege adjustments outside business hours, frequent modifications to sensitive privileges like SeDebugPrivilege or SeTakeOwnershipPrivilege, adjustments by unusual processes, or high-frequency privilege changes from single accounts. Establish baselines to identify deviations.
Which privileges in Event ID 4699 should trigger immediate security alerts?+
Critical privileges that warrant immediate attention include SeDebugPrivilege (allows debugging any process), SeTakeOwnershipPrivilege (can take ownership of any object), SeLoadDriverPrivilege (loads kernel drivers), SeBackupPrivilege (bypasses file permissions), and SeRestorePrivilege (modifies any file). These privileges can be used for privilege escalation and should be monitored closely in security-sensitive environments.
How do I correlate Event ID 4699 with other Windows security events?+
Correlate Event ID 4699 using the Logon ID field with Event ID 4624 (successful logon) and Process ID with Event ID 4688 (process creation). Also check Event ID 4672 (special privileges assigned to new logon) and Event ID 4673 (privileged service called). Use PowerShell to match these fields across events and create comprehensive timelines of privilege-related activities.
Can Event ID 4699 help detect advanced persistent threats (APTs)?+
Yes, Event ID 4699 is valuable for APT detection as attackers often need elevated privileges for persistence and lateral movement. Look for unusual privilege patterns, privilege adjustments by unexpected processes, or privilege escalation attempts outside normal operational hours. Combine with behavioral analysis and threat intelligence to identify sophisticated attacks that rely on privilege abuse for maintaining persistence in enterprise networks.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including privilege monitoring and token managementhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including privilege use auditinghttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4699#security-auditing#privilege-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...