Windows 7 / Security and Privacy

How to Configure Auditing for Privilege Elevation

You can enable auditing for privilege elevation so that every time a user provides administrator credentials or an administrator clicks Continue at a UAC prompt, an event is added to the Security Event Log. To enable privilege elevation auditing, enable success auditing for both the Audit Process Tracking and Audit Privilege Use settings in the Local Policies\Audit Policy node of Group Policy. Note that you should enable auditing only when testing applications or troubleshooting problems; enabling these types of auditing can generate an excessive number of events and negatively affect computer performance.

To enable auditing on a single computer, use the Local Security Policy console. To enable auditing on multiple computers within a domain, use Group Policy settings. In Group Policy, auditing settings are located within Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node. After changing auditing settings, you must restart the computer for the change to take effect.

After enabling Audit Privilege Use, you can monitor Event IDs 4648 and 4624 in the Security Event Log to determine when users elevate privileges using the UAC consent dialog box. Event ID 4648 will always precede 4624 and will have a process name that includes Consent. exe, the UAC consent dialog box. These events will not appear if a user cancels the UAC consent dialog box. Events with Event ID 4673 will appear if the user cancels a consent dialog box; however, that same event will appear under different circumstances as well.

After enabling Audit Process Tracking, you can monitor Event ID 4688 to determine when administrators make use of Admin Approval Mode to provide full administrator privileges to processes. The description for this event includes several useful pieces of information:

  • Security ID The user name and domain of the current user.
  • New Process Name The path to the executable file being run. For more information about the new process, look for an event occurring at the same time as Event ID 4696.
  • Token Elevation Type A number from 1 to 3 indicating the type of elevation being requested:
    • Type 1 (TokenElevationTypeDefault) is used only if UAC is disabled or if the user is the built-in Administrator account or a service account. This type does not generate a UAC prompt.
    • Type 2 (TokenElevationTypeFull) is used when the application requires (and is granted) elevated privileges. This is the only type that generates a UAC prompt. This type can also be generated if a user starts an application using RunAs, or if a previously elevated process creates a new process.
    • Type 3 (TokenElevationTypeLimited) is used when the application runs using standard privileges. This type does not require a UAC prompt.

Note that many events with Event ID 4688 won't be applications started by the user. Most of these events are generated by background processes and services that require no interaction with the user. To find the most interesting events, filter the Security Event Log using Event ID 4688. Then, use the Find tool to search for the phrase "TokenElevationTypeFull."

[Previous] [Contents] [Next]