Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Privilege Use->Sensitive Privilege Use->EventID 4673 - A privileged service was called.
EventID 4673 - A privileged service was called.
Indicates that an attempt has been made by a user to use a privilege to perform a privileged system service.

These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:
Windows 2000, 2003
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/27/2009 9:53:35 PM
Event ID:      4673
Task Category: Sensitive Privilege Use
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
A privileged service was called.
	Security ID:		S-1-5-18
	Account Name:		DCC1$
	Account Domain:		LOGISTICS
	Logon ID:		0x3e7
	Server:	NT Local Security Authority / Authentication Service
	Service Name:	LsaRegisterLogonProcess()
	Process ID:	0x238
	Process Name:	C:\Windows\System32\lsass.exe
Service Request Information:
	Privileges:		SeTcbPrivilege
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Privilege Use
Source Microsoft-Windows-Security-Auditing
TaskCategory Sensitive Privilege Use
EventId 4673
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Subject: Security ID Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment. InsertionString1 S-1-5-18
Subject: Account Name Name of the account that initiated the action. InsertionString2 DCC1$
Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString3 LOGISTICS
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString4 0x3e7
Service: Server InsertionString5 NT Local Security Authority / Authentication Service
Service: Service Name InsertionString6 LsaRegisterLogonProcess()
Process: Process ID InsertionString8 0x238
Process: Process Name InsertionString9 C:\Windows\System32\lsass.exe
Service Request Information: Privileges InsertionString7 SeTcbPrivilege
You must be logged in to comment