LogsDBLogsDB
Windows logo

Windows Event ID 4672 - Special Privileges Assigned

Records when special privileges are assigned to a new logon session. Generated when an account is assigned sensitive privileges such as SeDebugPrivilege, SeTakeOwnershipPrivilege, or SeSecurityPrivilege. Essential for detecting administrative logons and privilege escalation

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/29/2026 10:15:32 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
Computer:      DC01.corp.local
Description:
Special privileges assigned to new logon.

Subject:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-500
    Account Name:       Administrator
    Account Domain:     CORP
    Logon ID:           0x12345678

Privileges:     SeSecurityPrivilege
                SeTakeOwnershipPrivilege
                SeLoadDriverPrivilege
                SeBackupPrivilege
                SeRestorePrivilege
                SeDebugPrivilege
                SeSystemEnvironmentPrivilege
                SeImpersonatePrivilege

Structure:

XML-based binary format with structured EventData fields

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/29/2026 10:15:32 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
Computer:      DC01.corp.local
Description:
Special privileges assigned to new logon.

Subject:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-500
    Account Name:       Administrator
    Account Domain:     CORP
    Logon ID:           0x12345678

Privileges:     SeSecurityPrivilege
                SeTakeOwnershipPrivilege
                SeLoadDriverPrivilege
                SeBackupPrivilege
                SeRestorePrivilege
                SeDebugPrivilege
                SeSystemEnvironmentPrivilege
                SeImpersonatePrivilege

Structure:

XML-based binary format with structured EventData fields

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing"/>
    <EventID>4672</EventID>
    <Computer>DC01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1234567890-1234567890-1234567890-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">CORP</Data>
    <Data Name="SubjectLogonId">0x12345678</Data>
    <Data Name="PrivilegeList">SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege</Data>
  </EventData>
</Event>

Structure:

Native XML representation of the event

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 4672)4672
TimeCreated
datetime
Timestamp when special privileges were assigned2026-01-29T10:15:32.123Z
Computer
string
Computer name where privilege assignment occurredDC01.corp.local
SubjectUserSid
string
SID of the account that received special privilegesS-1-5-21-1234567890-1234567890-1234567890-500
SubjectUserName
string
Account name that received special privilegesAdministrator
SubjectDomainName
string
Domain of the account that received privilegesCORP
SubjectLogonId
string
Logon ID for the session - correlate with 4624 events0x12345678
PrivilegeList
string
List of special privileges assigned to the logon sessionSeSecurityPrivilege\nSeDebugPrivilege

Parsing Patterns

Grok Patterns

xml:

<Data Name="SubjectUserName">%{DATA:subject_username}</Data>.*<Data Name="PrivilegeList">%{DATA:privileges}</Data>

Regular Expressions

xml:

SubjectUserName">(?P<subject_username>[^<]+)</Data>.*PrivilegeList">(?P<privileges>[^<]+)</Data>

Collector Configurations

splunkyaml
1# Special Privilege Logons (exclude SYSTEM)
2index=wineventlog EventCode=4672 SubjectUserName!="SYSTEM"
3| stats count by SubjectUserName, Computer
4| sort -count
5
6# Admin logons with SeDebugPrivilege
7index=wineventlog EventCode=4672 PrivilegeList="*SeDebugPrivilege*"
8| stats count by SubjectUserName, Computer
9
10# Correlate with 4624 to get source IP
11index=wineventlog EventCode=4672
12| join SubjectLogonId [search index=wineventlog EventCode=4624 | rename TargetLogonId as SubjectLogonId | fields SubjectLogonId, IpAddress]
13| table _time, SubjectUserName, Computer, IpAddress, PrivilegeList

Configuration

Enable Logging

Enable Special Logon auditing

auditpol /set /subcategory:"Special Logon" /success:enable

Log To Syslog

Forward via WEF

# Include in security event subscription

Use Cases

Admin activity tracking

Monitor administrative logons

SubjectUserName
Computer
PrivilegeList

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-01-29
Last updated: 2026-01-29 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue