Should this Event concern me?
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 19/07/2011 09:05:36 Event ID: 4672 Task Category: Special Logon Level: Information Keywords: Audit Success User: N/A Computer: JIM-HOME Description: Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4672</EventID> <Version>0</Version> <Level>0</Level> <Task>12548</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2011-07-19T08:05:36.774293800Z" /> <EventRecordID>68234</EventRecordID> <Correlation /> <Execution ProcessID="868" ThreadID="924" /> <Channel>Security</Channel> <Computer>JIM-HOME</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">SYSTEM</Data> <Data Name="SubjectDomainName">NT AUTHORITY</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege</Data> </EventData> </Event>
July 19th, 2011 12:28pm

There is no need to be alarmed by this. This event is logged anytime there is a logon on your system that has administrative rights, and those rights are listed in the Privileges: SeAssignPrimaryTokenPrivilege section of the above pasted entry. This particular instance could be any number of services or system tasks that are on your system. By default, Windows has services running in the background that handle system tasks, and as such you will note many more security log entries than can be associated to a particular user action. As always, it is a good idea to have an up-to-date antivirus solution on your system to ensure that you are fully protected. Hope that explains what you are seeing.A+, Net+, Sec+, MCP, MCTS, VCP4
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2011 5:18am

Thanks Brian, what raised my concern was the entry "SeImpersonatePrivilege</Data>". You would think that this, whatever its function, might have been better identified. I've become over-sensitive to such things, having had the, rather un-nerving, experience of watching an unidentified programme send unidentified data to an unidentified destination on the Internet and, furthermore, prevent me shutting the PC down in the normal fashion while it was so doing. The only method of stopping it was to power off! Not a good situation. I have a notion that the culprit was Acronis True Image Home 2011, since this behaviour only started after I installed this on the PC and had to allow their support operatives to take control of the PC to 'fix' backup problems I was experiencing. I have removed this programme from the system now not, I have to add, without serious problems in doing so. I eventually had to resort to the, in my opinion, excellent, REVO Uninstaller programme. I have not experienced any further unexplained excursions of that sort since so doing. Anyway, enough of the complaints! Thank you very much for your help. Cheers,
July 21st, 2011 1:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics