Should this Event concern me?
There is no need to be alarmed by this. This event is logged anytime there is a logon on your system that has administrative rights, and those rights are listed in the Privileges: SeAssignPrimaryTokenPrivilege section
of the above pasted entry. This particular instance could be any number of services or system tasks that are on your system. By default, Windows has services running in the background that handle system tasks, and as
such you will note many more security log entries than can be associated to a particular user action.
As always, it is a good idea to have an up-to-date antivirus solution on your system to ensure that you are fully protected.
Hope that explains what you are seeing.A+, Net+, Sec+, MCP, MCTS, VCP4
July 20th, 2011 10:10pm
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 19/07/2011 09:05:36
Event ID: 4672
Task Category: Special Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: JIM-HOME
Description:
Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-07-19T08:05:36.774293800Z" />
<EventRecordID>68234</EventRecordID>
<Correlation />
<Execution ProcessID="868" ThreadID="924" />
<Channel>Security</Channel>
<Computer>JIM-HOME</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2011 5:19am
Thanks Brian, what raised my concern was the entry "SeImpersonatePrivilege</Data>". You would think that this, whatever its function, might have been better identified.
I've become over-sensitive to such things, having had the, rather un-nerving, experience of watching an unidentified programme send unidentified data to an unidentified destination on the Internet and, furthermore, prevent me shutting the PC down in the
normal fashion while it was so doing. The only method of stopping it was to power off! Not a good situation.
I have a notion that the culprit was Acronis True Image Home 2011, since this behaviour only started after I installed this on the PC and had to allow their support operatives to take control of the PC to 'fix' backup problems I was experiencing. I
have removed this programme from the system now not, I have to add, without serious problems in doing so. I eventually had to resort to the, in my opinion, excellent, REVO Uninstaller programme. I have not experienced any further unexplained excursions
of that sort since so doing.
Anyway, enough of the complaints! Thank you very much for your help.
Cheers,
July 24th, 2011 6:15am