Elevated token for event id 4624 for win2016 Expand / Collapse
Author
Message
Posted 7/26/2017 5:12:43 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/26/2017 5:08:31 AM
Posts: 1, Visits: 0
Since windows server 2016 versions, there is a new 'Elevated_token' field in the eventID 4624, "Successful logon".
According to official windows documentation:
Elevated Token [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges.


https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4624
I performed some tests on a domain with an admin account and non admin accounts, and it appears that this field is always set to "Yes".
Does someone have more information about this field ?
Post #7393
Posted 8/14/2017 5:01:49 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
It appears to have something to do with UAC according to the encyclopedia. I would try testing with UAC enabled and see what results are.
Post #7401
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:16am