Folder Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Privilege Use
Privilege Use
Events in this category track each instance of a user exercising a user right.
Privilege refers to the user rights you find in the Local Security Policy under Security Settings\Local Policies\User Right Assignment.

By default audits are not generated for use of the following user rights, even if success audits or failure audits are specified for "Audit privilege use":
  • Bypass traverse checking
  • Debug programs
  • Create a token object
  • Replace process level token
  • Generate security audits
  • Back up files and directories
  • Restore files and directories

This category generates a lot of noise and it is recommended to disable auditing for these events. The problem is that there is no clear information about which user operations are actually controlled by each privilege.

Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category Privilege Use
Source Security
Field Matching
FieldDescriptionSample Value
DateTime Date/Time of event origination in GMT format. 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Security
Type Warning, Information, Error, Success, Failure, etc. Success
User Domain\Account name of user/service/computer initiating event. RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. DC1
EventID Numerical ID of event. Unique within one Event Source. 576
Description The entire unparsed event message. Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) Security
Category A name for a subclass of events within the same Event Source. Logon/Logoff
Privileges The list of assigned privileges SeSecurityPrivilege