Windows Security Log Event ID 578

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPrivilege Use
Type Success
Failure
Corresponding events
in Windows 2008
and Vista
4674  

578: Privileged object operation

On this page

This event indicates that the specified user exercised the user right specified in the Privileges field. To understand Primary and User fields see event 560.

Some user rights are logged by this event - others by 577. Still other, "high-volume" rights are not logged when they are exercised but simply noted as being held by a user at the time th user logs by event 576.

On Windows Server 2000, this event is logged for the "SeSecurityPrivilege" whenever the security log is viewed or cleared because these operations require the use of the "Manage auditing and security log right" (aka SeSecurityPrivilege). For some reason Windows Server 2003, in the same situation, does not log this event. Occurrences for SeTakeOwnershipPrivilege also appear however the object handle can't be found in any other events in the log so there is no way to identify the object that the "client" user took ownership of. Likewise, Windows Server 2003 does not log this event.
Note: 576, 577, and 578 do not log any activity associated with LogonRights such as the SeNetworkLogonRight.

Do not confuse 576, 577 or 578 with events 608, 609, 620 and 621 which document rights assignment changes as opposed to the exercise of rights which is the purpose of 576, 577 and 578.

Microsoft's Comments:

These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred.

 User Rights

User Right
Description
SeTcbPrivilege
Act as part of the operating system
SeMachineAccountPrivilege
Add workstations to domain
SeIncreaseQuotaPrivilege
Adjust memory quotas for a process
SeBackupPrivilege
Back up files and directories
SeChangeNotifyPrivilege
Bypass traverse checking
SeSystemtimePrivilege
Change the system time
SeCreatePagefilePrivilege
Create a pagefile
SeCreateTokenPrivilege
Create a token object
SeCreatePermanentPrivilege
Create permanent shared objects
SeDebugPrivilege
Debug programs
SeEnableDelegationPrivilege
Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege
Force shutdown from a remote system
SeAuditPrivilege
Generate security audits
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
SeLoadDriverPrivilege
Load and unload device drivers
SeLockMemoryPrivilege
Lock pages in memory
SeSecurityPrivilege
Manage auditing and security log
SeSystemEnvironmentPrivilege
Modify firmware environment values
SeManageVolumePrivilege
Perform volume maintenance tasks
SeProfileSingleProcessPrivilege
Profile single process
SeSystemProfilePrivilege
Profile system performance
SeUndockPrivilege
Remove computer from docking station
SeAssignPrimaryTokenPrivilege
Replace a process level token
SeRestorePrivilege
Restore files and directories
SeShutdownPrivilege
Shut down the system
SeSyncAgentPrivilege
Synchronize directory service data
SeTakeOwnershipPrivilege
Take ownership of files or other objects

Free Security Log Resources by Randy

Description Fields in 578

  • Object Server:
  • Object Handle:
  • Process ID:
  • Primary User Name:
  • Primary Domain:
  • Primary Logon ID:
  • Client User Name:
  • Client Domain:
  • Client Logon ID:
  • Privileges:

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 578

Privileged object operation:
Object Server:EventLog
Object Handle:0
Process ID:248
Primary User Name:W2DC$
Primary Domain:ELMW2
Primary Logon ID:(0x0,0x3E7)
Client User Name:administrator
Client Domain:ELMW2
Client Logon ID:(0x0,0x804C2)
Privileges:SeSecurityPrivilege

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!