Windows 7 / Security and Privacy

How to Configure Auditing for Privilege Elevation

You can enable auditing for privilege elevation so that every time a user provides administrator credentials or an administrator clicks Continue at a UAC prompt, an event is added to the Security Event Log. To enable privilege elevation auditing, enable success auditing for both the Audit Process Tracking and Audit Privilege Use settings in the Local Policies\Audit Policy node of Group Policy. Note that you should enable auditing only when testing applications or troubleshooting problems; enabling these types of auditing can generate an excessive number of events and negatively affect computer performance.

To enable auditing on a single computer, use the Local Security Policy console. To enable auditing on multiple computers within a domain, use Group Policy settings. In Group Policy, auditing settings are located within Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node. After changing auditing settings, you must restart the computer for the change to take effect.

After enabling Audit Privilege Use, you can monitor Event IDs 4648 and 4624 in the Security Event Log to determine when users elevate privileges using the UAC consent dialog box. Event ID 4648 will always precede 4624 and will have a process name that includes Consent. exe, the UAC consent dialog box. These events will not appear if a user cancels the UAC consent dialog box. Events with Event ID 4673 will appear if the user cancels a consent dialog box; however, that same event will appear under different circumstances as well.

After enabling Audit Process Tracking, you can monitor Event ID 4688 to determine when administrators make use of Admin Approval Mode to provide full administrator privileges to processes. The description for this event includes several useful pieces of information:

  • Security ID The user name and domain of the current user.
  • New Process Name The path to the executable file being run. For more information about the new process, look for an event occurring at the same time as Event ID 4696.
  • Token Elevation Type A number from 1 to 3 indicating the type of elevation being requested:
    • Type 1 (TokenElevationTypeDefault) is used only if UAC is disabled or if the user is the built-in Administrator account or a service account. This type does not generate a UAC prompt.
    • Type 2 (TokenElevationTypeFull) is used when the application requires (and is granted) elevated privileges. This is the only type that generates a UAC prompt. This type can also be generated if a user starts an application using RunAs, or if a previously elevated process creates a new process.
    • Type 3 (TokenElevationTypeLimited) is used when the application runs using standard privileges. This type does not require a UAC prompt.

Note that many events with Event ID 4688 won't be applications started by the user. Most of these events are generated by background processes and services that require no interaction with the user. To find the most interesting events, filter the Security Event Log using Event ID 4688. Then, use the Find tool to search for the phrase "TokenElevationTypeFull."

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Client Protection
  2. Understanding the Risk of Malware
  3. User Account Control in Windows 7
  4. UAC for Standard Users
  5. UAC for Administrators
  6. UAC User Interface
  7. Secure Desktop
  8. How Windows Determines Whether an Application Needs Administrative Privileges
  9. How to Control UAC Using Application Properties
  10. How UAC Examines the Application Manifest
  11. UAC Heuristics
  12. UAC Virtualization
  13. UAC and Startup Programs
  14. Compatibility Problems with UAC
  15. How to Configure UAC
  16. Group Policy Settings
  17. Control Panel
  18. Msconfig.exe
  19. How to Configure Auditing for Privilege Elevation
  20. Other UAC Event Logs
  21. Best Practices for Using UAC
  22. AppLocker
  23. AppLocker Rule Types
  24. Auditing AppLocker Rules
  25. DLL Rules
  26. Custom Error Messages
  27. Using AppLocker with Windows PowerShell
  28. Using Windows 7 Defender
  29. Understanding Windows Defender
  30. Automatic Scanning
  31. Real-Time Protection
  32. Windows Defender Alert Levels
  33. Understanding Microsoft SpyNet
  34. Configuring Windows Defender Group Policy
  35. Configuring Windows Defender on a Single Computer
  36. How to Determine Whether a Computer Is Infected with Spyware
  37. Best Practices for Using Windows Defender
  38. How to Troubleshoot Problems with Unwanted Software
  39. Network Access Protection
  40. Forefront