locked
i ran an event viewer for security and wondered what a 4672special logon is it happened every time i showed a log in RRS feed

  • Question

  • i ran an event viewer for security and wondered what a 4672special logon is it happened every time i showed a log in..... details below 

    Special privileges assigned to new logon.

    Subject:

    Account Name: SYSTEM

    Account Domain: NT AUTHORITY

    Logon ID: 0x3e7

    Privileges: SeAssignPrimaryTokenPrivilege

    SeTcbPrivilege

    SeSecurityPrivilege

    SeTakeOwnershipPrivilege

    SeLoadDriverPrivilege

    SeBackupPrivilege

    SeRestorePrivilege

    SeDebugPrivilege

    SeAuditPrivilege

    SeSystemEnvironmentPrivilege

    SeImpersonatePrivilege

    Security ID: SYSTEM

       
    - Provider
          [ Name] Microsoft-Windows-Security-Auditing
          [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
       
      EventID 4672
       
      Version 0
       
      Level 0
       
      Task 12548
       
      Opcode 0
       
      Keywords 0x8020000000000000
       
    - TimeCreated
          [ SystemTime] 2009-03-26T23:56:14.237Z
       
      EventRecordID 253661
       
      Correlation
       
    - Execution
          [ ProcessID] 680
          [ ThreadID] 2780
       
      Channel Security
       
      Computer daddys-PC
       
      Security

    - EventData

        SubjectUserSid S-1-5-18
        SubjectUserName SYSTEM
        SubjectDomainName NT AUTHORITY
        SubjectLogonId 0x3e7
        PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege



    Thursday, April 16, 2009 2:58 AM

Answers

  • Hi,

    Please contact Alicia at learnmgr@microsoft.com to discuss this issue further and provide the couse numbers & URL's you are trying to browse.

    She will be happy to put you in touch with the team that supports this issue.

    Thanks,
    Tagore
    Monday, April 20, 2009 10:24 AM

All replies

  • Hi,

    Please contact Alicia at learnmgr@microsoft.com to discuss this issue further and provide the couse numbers & URL's you are trying to browse.

    She will be happy to put you in touch with the team that supports this issue.

    Thanks,
    Tagore
    Monday, April 20, 2009 10:24 AM
  • Hello,

     

    I too, used the event viewer after my desktop went black (Taskbar still in view), I rebooted and went to Event Properties in my Vista PC.  Is the advice still current as stated in the post above? 

    Below are the event details I received. 

    Thanks for any help you can give me.

     

    --Colleen

     

     

    GENERAL:

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/12/2010 8:30:00 AM
    Event ID:      4672
    Task Category: Special Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      Office-PC
    Description:
    Special privileges assigned to new logon.

    Subject:
        Security ID:        SYSTEM
        Account Name:        SYSTEM
        Account Domain:        NT AUTHORITY
        Logon ID:        0x3e7

    Privileges:        SeAssignPrimaryTokenPrivilege
                SeTcbPrivilege
                SeSecurityPrivilege
                SeTakeOwnershipPrivilege
                SeLoadDriverPrivilege
                SeBackupPrivilege
                SeRestorePrivilege
                SeDebugPrivilege
                SeAuditPrivilege
                SeSystemEnvironmentPrivilege
                SeImpersonatePrivilege
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>4672</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12548</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2010-07-12T13:30:00.899Z" />
        <EventRecordID>4739</EventRecordID>
        <Correlation />
        <Execution ProcessID="688" ThreadID="5544" />
        <Channel>Security</Channel>
        <Computer>Office-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">SYSTEM</Data>
        <Data Name="SubjectDomainName">NT AUTHORITY</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
        <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
                SeTcbPrivilege
                SeSecurityPrivilege
                SeTakeOwnershipPrivilege
                SeLoadDriverPrivilege
                SeBackupPrivilege
                SeRestorePrivilege
                SeDebugPrivilege
                SeAuditPrivilege
                SeSystemEnvironmentPrivilege
                SeImpersonatePrivilege</Data>
      </EventData>
    </Event>

     

     

    DETAILS:

     

    <script> function Toggle(node) { if (!window.fullyLoaded) return; // Expand the branch? if (node.nextSibling.style.display == 'none') { // Change the sign from "+" to "-". var tBodyNode = node.childNodes[0]; var trNode = tBodyNode.childNodes[0]; var tdNode = trNode.childNodes[0]; var bNode = tdNode.childNodes[0]; var textNode = bNode.childNodes[0]; if (textNode.nodeType == 3 /* Node.TEXT_NODE */) { var s = textNode.data; if (s.length > 0 && s.charAt(0) == '+') { textNode.data = '-' + s.substring(1, s.length); } } // show the branch node.nextSibling.style.display = ''; } else // Collapse the branch { // Change the sign from "-" to "+". var tBodyNode = node.childNodes[0]; var trNode = tBodyNode.childNodes[0]; var tdNode = trNode.childNodes[0]; var bNode = tdNode.childNodes[0]; var textNode = bNode.childNodes[0]; if (textNode.nodeType == 3 /* Node.TEXT_NODE */) { var s = textNode.data; if (s.length > 0 && s.charAt(0) == '-') { textNode.data = '+' + s.substring(1, s.length); } } // hide the branch node.nextSibling.style.display = 'none'; } } // Toggle "System" element by default so that it's default status is to hide its children function ToggleSystemElement() { var body = document.getElementById("body"); var anchor = body.getElementsByTagName("table")[0]; Toggle(anchor); } // If binary data is present in event XML, show it in friendly form. function ProcessBinaryData(binaryString, binaryDataCaption, wordsFormatString, bytesFormatString, normalFont, fixedWidthFont) { var bodyNode = document.getElementById("body"); // Add a <hr> at the end of the HTML body. bodyNode.appendChild(document.createElement("hr")); // This paragraph (p element) is the "Binary data:" literal string. var p = document.createElement("p"); p.style.fontFamily = normalFont; var b = document.createElement("b"); b.appendChild(document.createTextNode(binaryDataCaption)); p.appendChild(b); p.appendChild(document.createElement("br")); bodyNode.appendChild(p); // // Show binary data in Words format. // p = document.createElement("p"); p.style.fontFamily = normalFont; p.appendChild(document.createTextNode(wordsFormatString)); bodyNode.appendChild(p); // Must use fixed-width font for binary data. p = document.createElement("p"); p.style.fontFamily = fixedWidthFont; var i = 0; var j = 0; var s, tempS; var translatedString; var charCode; var byte1, byte2; // Each character in binaryString is a hex (16-based) representation of // 4 binary bits. So it takes 2 characters in binaryString to form a // complete byte; 4 characters for a word. while (i < binaryString.length) { s = (i / 4).toString(16); // To hex representation. while (s.length < 4) { s = "0" + s; } s += ": "; // DWords representation is simply a rearrangement of the original binaryString // For example, from: // // 0000000002005600000000000f000540 // // (which is 00 00 00 00 02 00 56 00 00 00 00 00 0f 00 05 40). // // to: // // 0000: 00000000 00560002 00000000 4005000f // 8 words per line, 4 DWords per line. for (j = 0; j < 4; j++) { s += binaryString.substring(i + 6, i + 8); s += binaryString.substring(i + 4, i + 6); s += binaryString.substring(i + 2, i + 4); s += binaryString.substring(i, i + 2) + " "; i += 8; } p.appendChild(document.createTextNode(s)); p.appendChild(document.createElement("br")); } bodyNode.appendChild(p); // // Show binary data in bytes format. // p = document.createElement("p"); p.style.fontFamily = normalFont; p.appendChild(document.createTextNode(bytesFormatString)); bodyNode.appendChild(p); // Must use fixed-width font for binary data. p = document.createElement("p"); p.style.fontFamily = fixedWidthFont; i = 0; j = 0; // Each character in binaryString is a hex (16-based) representation of // 4 binary bits. So it takes 2 characters in binaryString to form a // complete byte. while (i < binaryString.length) { translatedString = ""; // 2 characters in binaryString to form a byte s = (i / 2).toString(16); // to hex representation. // Prefix with '0' until its length is 4. while (s.length < 4) { s = "0" + s; } s += ": "; // Show 8 bytes per line for (j = 0; j < 8; j++) { tempS = binaryString.substring(i, i + 2); // 2 for 1 byte i += 2; s += tempS + " "; // Treat tempS as hex integer charCode = parseInt(tempS, 16); if (charCode < 32) { translatedString += "."; } else { translatedString += String.fromCharCode(charCode); } } while (s.length < 32) { s += " "; } s += translatedString; p.appendChild(document.createTextNode(s)); p.appendChild(document.createElement("br")); } bodyNode.appendChild(p); } </script>

    + System
       
    - Provider
          [ Name ] Microsoft-Windows-Security-Auditing
          [ Guid ] {54849625-5478-4994-a5ba-3e3b0328c30d}
       
      EventID 4672
       
      Version 0
       
      Level 0
       
      Task 12548
       
      Opcode 0
       
      Keywords 0x8020000000000000
       
    - TimeCreated
          [ SystemTime ] 2010-07-12T13:30:00.899Z
       
      EventRecordID 4739
       
      Correlation
       
    - Execution
          [ ProcessID ] 688
          [ ThreadID ] 5544
       
      Channel Security
       
      Computer Office-PC
       
      Security
    - EventData
    SubjectUserSid S-1-5-18
    SubjectUserName SYSTEM
    SubjectDomainName NT AUTHORITY
    SubjectLogonId 0x3e7
    PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege

     

     

     

    Tuesday, July 13, 2010 12:51 AM
  • Tuesday, July 13, 2010 9:39 AM