Event-o-Pedia EventID 4799 - A security-enabled local group membership was enumerated.

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4799 - A security-enabled local group membership was enumerated.

EventID 4799 - A security-enabled local group membership was enumerated.

Windows logs this event when a process enumerates the members of the specified local group on that computer.

Find more information about this event on ultimatewindowssecurity.com.

Sample:

A security-enabled local group membership was enumerated.

Subject:
	Security ID:		SYSTEM
	Account Name:		IIZHU2016$
	Account Domain:		ITSS
	Logon ID:		0x3E7

Group:
	Security ID:		BUILTIN\Administrators
	Group Name:		Administrators
	Group Domain:		Builtin

Process Information:
	Process ID:		0x4c8
	Process Name:		C:\Windows\System32\svchost.exe

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Account Management
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Security Group Management
EventId	4799

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Task Category	A name for a subclass of events within the same Event Source.	TaskCategory
Level	Warning, Information, Error, etc.	Level
Keywords	Audit Success, Audit Failure, Classic, Connection etc.	Keywords
Category	A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.	Category	Account Logon
Object Name		-
Whom		-
Object Type		-
Class Name		-
Security ID		-
Account Name		-
Account Domain		-
Subject: Account Name	Name of the account that initiated the action.	InsertionString5	ALebovsky
Subject: Account Domain	Name of the domain that account initiating the action belongs to.	InsertionString6	LOGISTICS
Subject: Logon ID	A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.	InsertionString7	0x2a88a
Subject: Security ID	Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment.	InsertionString4	S-1-5-21-1135140816-2109348461-2107143693-500
Additional Information: Privileges	Likely always equal to "-". Probably reserved to indicate privileges used by Subject while performing the management action or the privileges assigned to the managed group.	InsertionString8	-
Group: Security ID		InsertionString3	S-1-5-21-1135140816-2109348461-2107143693-1156
Group: Group Name		InsertionString1	Employees_
Group: Group Domain		InsertionString2	LOGISTICS
Process Information: Process ID		InsertionString8
Process Information: Process Name		InsertionString9