ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event ID 6274InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 6274Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 6274 is generated by the Microsoft-Windows-Security-Auditing provider as part of the advanced audit policy framework introduced in Windows Vista and enhanced through Windows 11 and Server 2025. This event specifically tracks the assignment of special privileges during the logon process, providing detailed information about which elevated rights a user session receives.

The event occurs after successful authentication but before the user session becomes fully active. Windows evaluates the user's group memberships, assigned user rights, and security policies to determine which special privileges should be granted. These privileges are then assigned to the logon session and recorded in Event ID 6274. The timing is critical because it captures the exact moment when elevated access is granted, making it valuable for security timeline reconstruction.

Special privileges tracked by this event include system-level rights like SeDebugPrivilege (debug programs), SeLoadDriverPrivilege (load and unload device drivers), SeTcbPrivilege (act as part of the operating system), SeBackupPrivilege (backup files and directories), and SeRestorePrivilege (restore files and directories). Each privilege represents a significant security capability that could be misused if granted inappropriately.

The event structure includes the logon session ID, which correlates with other security events, the user account information, and a detailed list of assigned privileges. This correlation capability makes Event ID 6274 essential for comprehensive security monitoring and forensic analysis in enterprise environments.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User logon with administrative privileges or membership in privileged groups like Administrators, Backup Operators, or Debug Users
  • Service account startup that requires elevated system privileges to perform its designated functions
  • Application launch with "Run as administrator" or elevated token that inherits special privileges from the user context
  • Group Policy changes that modify user rights assignments, granting new special privileges to users or groups
  • Security policy modifications that alter privilege assignment rules for specific logon types or user categories
  • System service initialization during boot process where services receive necessary privileges for system operation
  • Remote desktop or terminal services logon where users receive privileges based on their remote access rights configuration
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 6274 to understand which privileges were assigned and to which user account.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 6274 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 6274 in the Event IDs field and click OK
  5. Double-click on a 6274 event to view detailed information including:
    • Subject: User account that received privileges
    • Logon ID: Session identifier for correlation
    • Privileges: List of special privileges assigned
  6. Note the timestamp and correlate with other security events using the Logon ID

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6274} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='LogonId';Expression={$_.Properties[2].Value}}
02

Analyze Privilege Assignment Patterns

Examine patterns in privilege assignments to identify normal versus suspicious activity and ensure proper access control.

  1. Query events for specific users to establish baseline privilege patterns:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6274} -MaxEvents 1000
$Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = $xml.Event.EventData.Data[1].'#text'
        LogonId = $xml.Event.EventData.Data[2].'#text'
        Privileges = $xml.Event.EventData.Data[4].'#text'
    }
} | Group-Object User | Sort-Object Count -Descending
  1. Review the Local Security Policy to verify user rights assignments:
    • Run secpol.msc as administrator
    • Navigate to Local PoliciesUser Rights Assignment
    • Check assignments for privileges like "Debug programs", "Load and unload device drivers", "Act as part of the operating system"
  2. Compare assigned privileges against job requirements and principle of least privilege
  3. Document any unexpected privilege assignments for further investigation
Pro tip: Create a baseline of normal privilege assignments for your environment to quickly identify anomalies.
03

Correlate with Logon Events for Complete Session Analysis

Link Event ID 6274 with related logon events to build a complete picture of user session establishment and privilege usage.

  1. Identify the Logon ID from Event 6274 and search for corresponding logon events:
$LogonId = "0x3e7"  # Replace with actual Logon ID from Event 6274
$RelatedEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4634,4647,6274} | Where-Object {
    $_.Message -match $LogonId
} | Sort-Object TimeCreated
  1. Analyze the sequence of events to understand the complete logon session:
    • Event 4624: Successful logon
    • Event 6274: Special privileges assigned
    • Event 4634/4647: Logoff events
  2. Check for privilege usage events that follow privilege assignment:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674} | Where-Object {
    $_.TimeCreated -gt (Get-Date).AddHours(-24) -and $_.Message -match $LogonId
}
  1. Review Process and Thread audit events (4688, 4689) to see if elevated privileges were actually used
  2. Generate a timeline report combining all related events for comprehensive analysis
04

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to detect unusual privilege assignments and potential security threats in real-time.

  1. Create a custom Windows Event Forwarding (WEF) subscription to centralize Event 6274 collection:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>PrivilegeAssignment</SubscriptionId>
    <Query>
        <Select Path="Security">*[System[(EventID=6274)]]</Select>
    </Query>
</Subscription>
  1. Configure Group Policy to enable advanced audit policy for privilege use:
    • Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Enable Audit Sensitive Privilege Use and Audit Non Sensitive Privilege Use
  2. Create PowerShell monitoring script for real-time alerting:
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=6274" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $Message = $Event.Message
    if ($Message -match "SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege") {
        Send-MailMessage -To "security@company.com" -Subject "High-Risk Privilege Assignment" -Body $Message -SmtpServer "mail.company.com"
    }
}
  1. Integrate with SIEM solutions using Windows Event Collector or third-party agents
  2. Set up automated response procedures for critical privilege assignments
05

Forensic Analysis and Compliance Reporting

Perform detailed forensic analysis of privilege assignments for security investigations and compliance requirements.

  1. Export Event 6274 data for long-term analysis and compliance reporting:
$StartDate = (Get-Date).AddDays(-30)
$EndDate = Get-Date
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6274; StartTime=$StartDate; EndTime=$EndDate}

$Report = $Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Computer = $_.MachineName
        User = $xml.Event.EventData.Data[1].'#text'
        LogonId = $xml.Event.EventData.Data[2].'#text'
        LogonType = $xml.Event.EventData.Data[3].'#text'
        Privileges = $xml.Event.EventData.Data[4].'#text'
    }
}

$Report | Export-Csv -Path "C:\Reports\PrivilegeAssignments_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  1. Analyze privilege assignment frequency and patterns for anomaly detection:
$Report | Group-Object User | Sort-Object Count -Descending | Select-Object Name, Count, @{Name='LastAssignment';Expression={($_.Group | Sort-Object TimeCreated -Descending)[0].TimeCreated}}
  1. Cross-reference with Active Directory to validate user permissions:
Import-Module ActiveDirectory
$UniqueUsers = $Report | Select-Object -ExpandProperty User -Unique
foreach ($User in $UniqueUsers) {
    try {
        $ADUser = Get-ADUser -Identity $User -Properties MemberOf
        Write-Output "$User groups: $($ADUser.MemberOf -join '; ')"
    } catch {
        Write-Warning "Could not find AD user: $User"
    }
}
  1. Generate compliance reports showing privilege assignment trends and policy adherence
  2. Archive forensic data according to organizational retention policies
Warning: Ensure proper access controls on forensic data as it contains sensitive security information.

Overview

Event ID 6274 fires when Windows assigns special privileges to a newly established logon session. This security audit event tracks when users receive elevated privileges that allow them to perform sensitive system operations like debugging programs, loading device drivers, or acting as part of the operating system. The event appears in the Security log whenever a user logs on and receives one or more special privileges based on their account rights and group memberships.

This event is crucial for security monitoring as it identifies when users gain access to powerful system capabilities. Special privileges include rights like SeDebugPrivilege, SeLoadDriverPrivilege, SeTcbPrivilege, and others that can significantly impact system security. The event captures the logon session ID, user account details, and the specific privileges assigned, making it valuable for compliance auditing and security incident investigation.

System administrators typically see this event for service accounts, administrative users, and applications running with elevated permissions. Understanding when and why these privileges are assigned helps maintain proper access control and detect potential privilege escalation attempts.

Frequently Asked Questions

What does Event ID 6274 mean and why is it important for security monitoring?+
Event ID 6274 indicates that special privileges have been assigned to a new logon session. This event is crucial for security monitoring because it tracks when users receive elevated system privileges like SeDebugPrivilege, SeLoadDriverPrivilege, or SeTcbPrivilege. These privileges allow users to perform sensitive operations that could compromise system security if misused. By monitoring Event 6274, administrators can detect unauthorized privilege escalation, ensure compliance with least privilege principles, and maintain an audit trail of elevated access assignments.
How can I determine which specific privileges were assigned in Event ID 6274?+
The specific privileges assigned are listed in the event details under the 'Privileges' field. You can view this information by opening the event in Event Viewer and examining the event data, or by using PowerShell to parse the XML structure. Common privileges include SeDebugPrivilege (debug programs), SeBackupPrivilege (backup files), SeRestorePrivilege (restore files), SeLoadDriverPrivilege (load drivers), and SeTcbPrivilege (act as part of OS). Each privilege represents a specific elevated capability that the user session can exercise.
Is Event ID 6274 always a security concern or can it be normal system behavior?+
Event ID 6274 can represent both normal system behavior and potential security concerns. Normal occurrences include administrative users logging in, service accounts starting with required privileges, and legitimate applications running with elevated permissions. However, it becomes a security concern when unexpected users receive high-risk privileges, when privilege assignments don't align with job requirements, or when the timing correlates with suspicious activities. The key is establishing a baseline of normal privilege assignments for your environment and investigating deviations from that baseline.
How do I correlate Event ID 6274 with other security events for complete session analysis?+
Use the Logon ID field from Event 6274 to correlate with other security events. Start with Event 4624 (successful logon) to see how the session was established, then look for Events 4672-4674 (privilege use events) to see if assigned privileges were actually used. Event 4634 or 4647 shows session termination. You can also correlate with process creation events (4688) to see what programs ran with elevated privileges. This correlation provides a complete timeline of session establishment, privilege assignment, privilege usage, and session termination.
What should I do if I find unexpected or suspicious Event ID 6274 entries?+
First, verify the user account legitimacy and check if the privilege assignment aligns with their job role and group memberships. Review the Local Security Policy and Group Policy settings to ensure user rights assignments are correct. Examine the logon type and source to understand how the session was established. Look for correlating events that might indicate malicious activity, such as unusual process executions or file access patterns. If the assignment appears unauthorized, immediately investigate for potential compromise, consider disabling the affected account, and review recent system changes. Document all findings for potential incident response procedures.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 6274 and related privilege assignment monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for privilege use and security monitoring in Windows environments.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-6274#security-auditing#privilege-assignment

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min
Windows security monitoring dashboard displaying authentication package loading events in Event Viewer
Event 5632
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 5632 – LSA: Authentication Package Loaded

Event ID 5632 indicates that an authentication package has been loaded by the Local Security Authority (LSA). This security audit event tracks when authentication providers are initialized during system startup or security subsystem changes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...