Windows 10: Are Special Logons Suspicious? Event id: 4672

Discus and support Are Special Logons Suspicious? Event id: 4672 in AntiVirus, Firewalls and System Security to solve the problem; Hello, I've noticed multiple different "special logon" events event id: 4672 wherein some of the events have different privileges than others. Is this... Discussion in 'AntiVirus, Firewalls and System Security' started by Minepocket, Sep 10, 2022.

  1. MINEPOCKET
    Minepocket Win User

    Are Special Logons Suspicious? Event id: 4672


    Hello, I've noticed multiple different "special logon" events event id: 4672 wherein some of the events have different privileges than others. Is this normal? some of the privileges were:SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeAuditPrivilegeThe event often looks like this:Special privileges assigned to new logon.Subject:Security ID: SYSTEMAccount Name: SY

    :)
     
    Minepocket, Sep 10, 2022
    #1
  2. AMIT_SUN
    Amit_Sun Win User

    Events 4672 & 4624 Win 10 Freezes - special LOGON ?

    Hi,

    Thank you for writing to Microsoft Community Forums.

    1. Are you on a domain network?
    2. May I know the make and the model number of your system?

    The event logs you have provided seems to be the security logs that is generated when you login to your system. For more information on the event that was generated, you can check
    4672(S): Special privileges assigned to new logon.

    The Windows error logs will be located at Event Viewer > Windows Logs > System.

    Please follow the step below and check if it works for you.

    Step: Improve Windows 10 Performance.

    Try some of the following suggestions to help
    make your Windows 10 PC run better    . The steps are listed in order, so start with the first one, see if that fixes the problem, and then continue to the next one if it doesn’t.

    Note: The last step on the article contains Windows Reset, I suggest you not to perform Windows reset, as there is a change your data and applications will be wiped and also
    the OS will reverted back to previous version you upgraded from.

    If the issue still persists, please reply to this post with more information so that we can identify the root cause of this issue and assist you further.

    Hope it helps.

    Amit Sunar

    Microsoft Community – Moderator
     
    Amit_Sun, Sep 10, 2022
    #2
  3. ERFNGEL1
    Erfngel1 Win User
    Event 4672, Special Logon

    Why would this event be shown in my logs. No one else has had access or been given access to my pc.

    I will attach the event records:

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 12/3/2019 3:55:00 AM

    Event ID: 4672

    Task Category: Special Logon

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer:

    Description:

    Special privileges assigned to new logon.

    Subject:

    Security ID: SYSTEM

    Account Name: SYSTEM

    Account Domain: NT AUTHORITY

    Logon ID: 0x3E7

    Privileges: SeAssignPrimaryTokenPrivilege

    SeTcbPrivilege

    SeSecurityPrivilege

    SeTakeOwnershipPrivilege

    SeLoadDriverPrivilege

    SeBackupPrivilege

    SeRestorePrivilege

    SeDebugPrivilege

    SeAuditPrivilege

    SeSystemEnvironmentPrivilege

    SeImpersonatePrivilege

    SeDelegateSessionUserImpersonatePrivilege

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

    <EventID>4672</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>12548</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8020000000000000</Keywords>

    <TimeCreated SystemTime="2019-12-03T11:55:00.280502200Z" />

    <EventRecordID>8680324</EventRecordID>

    <Correlation ActivityID="{1b47e864-a4f5-0005-76e8-471bf5a4d501}" />

    <Execution ProcessID="884" ThreadID="23764" />

    <Channel>Security</Channel>

    <Computer></Computer>

    <Security />

    </System>

    <EventData>

    <Data Name="SubjectUserSid">S-1-5-18</Data>

    <Data Name="SubjectUserName">SYSTEM</Data>

    <Data Name="SubjectDomainName">NT AUTHORITY</Data>

    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege

    SeTcbPrivilege

    SeSecurityPrivilege

    SeTakeOwnershipPrivilege

    SeLoadDriverPrivilege

    SeBackupPrivilege

    SeRestorePrivilege

    SeDebugPrivilege

    SeAuditPrivilege

    SeSystemEnvironmentPrivilege

    SeImpersonatePrivilege

    SeDelegateSessionUserImpersonatePrivilege</Data>

    </EventData>

    </Event>
     
    Erfngel1, Sep 10, 2022
    #3
  4. IGOR LEYKO
    Igor Leyko Win User

    Are Special Logons Suspicious? Event id: 4672

    Event 4672, Special Logon

    Hi Erfngel,

    see description at
    https://docs.microsoft.com/en-us/windows/securi...

    Quotation: You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
     
    Igor Leyko, Sep 10, 2022
    #4
Thema:

Are Special Logons Suspicious? Event id: 4672

Loading...

  1. Are Special Logons Suspicious? Event id: 4672 - Similar Threads - Are Special Logons

  2. Is there anything other than an actual logon that would generate Event ID 4672 Special Logon?

    in Windows 10 Gaming
    Is there anything other than an actual logon that would generate Event ID 4672 Special Logon?: I had a suspicion that someone else in the house may be logging on to my computer while I am away. This evening, I locked my computer and left the house for about 4 hours. When I got back, I checked Event Viewer and saw several 4672 Event IDs indicating a special logon....

  3. Is there anything other than an actual logon that would generate Event ID 4672 Special Logon?

    in Windows 10 Software and Apps
    Is there anything other than an actual logon that would generate Event ID 4672 Special Logon?: I had a suspicion that someone else in the house may be logging on to my computer while I am away. This evening, I locked my computer and left the house for about 4 hours. When I got back, I checked Event Viewer and saw several 4672 Event IDs indicating a special logon....

  4. Security Auditing ID: 4624/4672 Special Logon and Logon

    in Windows 10 Gaming
    Security Auditing ID: 4624/4672 Special Logon and Logon: Hello, Im constantly getting this audit success every 5-10 minutes. I need help on what this is, and how can I fix it, because it freezes my computer like hardlock and goes back to normal. Here is both events Views. First is Special Logon and Second is LogonSPECIAL...

  5. Security Auditing ID: 4624/4672 Special Logon and Logon

    in Windows 10 Software and Apps
    Security Auditing ID: 4624/4672 Special Logon and Logon: Hello, Im constantly getting this audit success every 5-10 minutes. I need help on what this is, and how can I fix it, because it freezes my computer like hardlock and goes back to normal. Here is both events Views. First is Special Logon and Second is LogonSPECIAL...

  6. Are Special Logons Suspicious? Event id: 4672

    in Windows 10 Gaming
    Are Special Logons Suspicious? Event id: 4672: Hello, I've noticed multiple different "special logon" events event id: 4672 wherein some of the events have different privileges than others. Is this normal? some of the privileges were:SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,...

  7. Are Special Logons Suspicious? Event id: 4672

    in Windows 10 Software and Apps
    Are Special Logons Suspicious? Event id: 4672: Hello, I've noticed multiple different "special logon" events event id: 4672 wherein some of the events have different privileges than others. Is this normal? some of the privileges were:SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,...

  8. Log Name: Security Source: 4672 Task Category: Special Logon Level:...

    in Windows 10 Gaming
    Log Name: Security Source: 4672 Task Category: Special Logon Level:...: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2/26/2022 6:55:41 PM Event ID: 4672 Task Category: Special Logon Level: Information Keywords: Audit Success User: N/A Computer: Description: Special privileges assigned to new logon. Subject: Security ID:...

  9. Event 4672, Special Logon

    in AntiVirus, Firewalls and System Security
    Event 4672, Special Logon: Why would this event be shown in my logs. No one else has had access or been given access to my pc. I will attach the event records: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 12/3/2019 3:55:00 AM Event ID: 4672...

  10. Events 4672 & 4624 Win 10 Freezes - special LOGON ?

    in AntiVirus, Firewalls and System Security
    Events 4672 & 4624 Win 10 Freezes - special LOGON ?: My window 10 machine continues to freeze for 5-30 seconds intermittently. [ATTACH] I am running with an boot drive on an M2 SSD, which seems to be a common thread of most people having this issue. I have already done the SFC scan, and the reset/validation of all...