Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 29, 2017 10:45 AM
In a nutshell. I need to turn on Audit process tracking (Success, Failure). After I turned it on in event Viewer (Security) bunch of events appeared with event ID 4703. Based on (https://technet.microsoft.com/en-us/itpro/windows/keep-secure/basic-audit-process-tracking) Event ID: 4703 should not be logged when I turn process tracking audit.
In windos 7, there is no such problem, no event with ID 4703 because it should not be generated
Is this a BAG?
example of event:
A token right was adjusted.
Subject:
Security ID: SYSTEM
Account Name: XXXXXX$
Account Domain: XXX
Logon ID: 0x3E7
Target Account:
Security ID: SYSTEM
Account Name: XXXXXXX$
Account Domain: XXX
Logon ID: 0x3E7
Process Information:
Process ID: 0x18ec
Process Name: C:\Program Files (x86)\xxxx-xxxx\xxxx-xxxxx.exe
Enabled Privileges:
Disabled Privileges:
SeSecurityPrivilege
All replies (3)
Thursday, March 30, 2017 8:28 AM âś…Answered
Hi ,
As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
4703(S): A user right was adjusted.
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4703
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 30, 2017 10:37 AM
Thank you! Great explanation, helps
Thursday, March 30, 2017 10:53 AM
Thank you one more time. Analyzing Adv Audit Policy Configuration I found out that under "Detailed Tracking" there is Audit Policy Creation available and if I enable process control there event **4703 is not generates **