What does event id 4673 mean?

Event 4673 indicates that the specified user exercised the user right specified in the Privileges field. Note: “User rights” and “privileges” are synonymous terms used interchangeably in Windows. Some user rights are logged by this event – others by 4674.

What is a privileged service was called?

Privileged Service Called. Windows logs event ID 4673 to register that a user has a set of special privileges when the user logs in.

What is SeTcbPrivilege privilege?

SeTcbPrivilege: Act as part of the operating system. This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

What is sensitive privilege use?

Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges: Act as part of the operating system. Back up files and directories. Restore files and directories.

What is Advapi logon process?

The logon process is marked as “advapi”, which means that the logon was a Web-based logon through the IIS web server and the advapi process. If you are not hosting IIS websites, this might mean that the computer is infected.

What is LsaRegisterLogonProcess?

The LsaRegisterLogonProcess function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set.

What is privileged process?

A privileged execution environment which may have access to elevated permissions, handles multiple user PII, and/or maintains system integrity. For example, an Android application with capabilities that would be forbidden by the SELinux untrusted_app domain or with access to privileged|signature permissions.

What is a capability Sid?

Starting with Windows 2012 and Windows 8, Microsoft introduced a new type of security identifier called capability SIDs that grants a Windows component or UWP app access to particular resources on a computer. These resources could be files, folders, Registry entries, or even devices.

How do you check SeDebugPrivilege?

The important pieces are:

  1. Use LookupPrivilegeValue() to find the LUID for SeDebugPrivilege.
  2. Use GetTokenInformation() to find out what privileges are enabled on this process already.
  3. If the process doesn’t have the privilege set, use the AdjustTokenPrivileges() to attempt to set the privilege.

How do I enable audit privilege?

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> “Audit Sensitive Privilege Use” with “Success” selected.