Privilege Use Events

Changes to a user s privileges or attempts to use privileges in an unauthorized manner might require investigation. These events help support these queries.

576 Specified privileges were added to a user s token.

Parameters: Special privileges assigned to the new user (SeChangeNotifyPrivilege, SeAuditPrivilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege), user name, domain, logon ID, privileges.

Configurable Information: Success

Formal name: SE_AUDITID_ ASSIGN_SPECIAL_PRIV

This event message is generated when the user logs on.

577 A user attempted to perform a privileged system service operation.

Parameters: Privileged service called, server, service, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_ PRIVILEGED_SERVICE

Callers of PrivilegedServiceAuditAlarm generate this event.

578 Privileges were used on an already open handle to a protected object.

Parameters: Privileged object operation, object server, object handle, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges.

^{Configurable Information: Success}

Formal name: SE_AUDITID_PRIVILEGED_OBJECT