Windows Privilege Constants Reference
Privilege constants appear in the Privileges field of Microsoft-Windows-Security-Auditing events: primarily 4672 (special privileges assigned to new logon), 4673 (privileged service called), and 4674 (operation attempted on privileged object). The %%NNNN tokens in raw XML resolve to the descriptions below.
Privilege Constants#
35 privileges
| Constant | Description | msobjs Code |
|---|---|---|
| SeAssignPrimaryTokenPrivilege | Replace a process-level token | %%1603 |
| SeLockMemoryPrivilege | Lock pages in memory | %%1604 |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | %%1605 |
| SeTcbPrivilege | Act as part of the operating system | %%1607 |
| SeSecurityPrivilege | Manage auditing and security log | %%1608 |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects | %%1609 |
| SeLoadDriverPrivilege | Load and unload device drivers | %%1610 |
| SeSystemProfilePrivilege | Profile system performance | %%1611 |
| SeSystemtimePrivilege | Change the system time | %%1612 |
| SeProfileSingleProcessPrivilege | Profile single process | %%1613 |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | %%1614 |
| SeCreatePagefilePrivilege | Create a pagefile | %%1615 |
| SeCreatePermanentPrivilege | Create permanent shared objects | %%1616 |
| SeBackupPrivilege | Back up files and directories | %%1617 |
| SeRestorePrivilege | Restore files and directories | %%1618 |
| SeShutdownPrivilege | Shut down the system | %%1619 |
| SeDebugPrivilege | Debug programs | %%1620 |
| SeAuditPrivilege | Generate security audits | %%1621 |
| SeSystemEnvironmentPrivilege | Modify firmware environment values | %%1622 |
| SeChangeNotifyPrivilege | Bypass traverse checking | %%1623 |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system | %%1624 |
| SeCreateTokenPrivilege | Create a token object | — |
| SeImpersonatePrivilege | Impersonate a client after authentication | — |
| SeCreateGlobalPrivilege | Create global objects | — |
| SeMachineAccountPrivilege | Add workstations to domain | — |
| SeManageVolumePrivilege | Perform volume maintenance tasks | — |
| SeRelabelPrivilege | Modify an object label | — |
| SeIncreaseWorkingSetPrivilege | Increase a process working set | — |
| SeTimeZonePrivilege | Change the time zone | — |
| SeUndockPrivilege | Remove computer from docking station | — |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | — |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | — |
| SeSyncAgentPrivilege | Synchronize directory service data | — |
| SeCreateSymbolicLinkPrivilege | Create symbolic links | — |
| SeDelegateSessionUserImpersonatePrivilege | Obtain an impersonation token for another user in the same session | — |
Privileges Commonly Monitored#
The following privileges are frequently flagged in detection rules because they grant powerful capabilities:
| Constant | Risk | Common Detection |
|---|---|---|
SeDebugPrivilege | Process injection, credential dumping (e.g. Mimikatz) | Event 4672 with this privilege on non-admin accounts |
SeTcbPrivilege | Full OS-level trust: token manipulation | Event 4672 on non-SYSTEM accounts |
SeLoadDriverPrivilege | Load kernel drivers: rootkit installation | Event 4672 on standard user accounts |
SeBackupPrivilege | Read any file regardless of ACL: SAM/NTDS extraction | Event 4672 or 4674 on non-backup accounts |
SeRestorePrivilege | Write any file regardless of ACL | Event 4672 on non-backup accounts |
SeImpersonatePrivilege | Token impersonation attacks (Potato exploits) | Event 4672 on service accounts |
SeTakeOwnershipPrivilege | Take ownership to bypass ACLs | Event 4674 usage by non-admin |
SeAssignPrimaryTokenPrivilege | Process token replacement | Event 4672 on non-service accounts |
Related Events#
- Microsoft-Windows-Security-Auditing Event ID 4672: Special privileges assigned to new logon
- Microsoft-Windows-Security-Auditing Event ID 4673: A privileged service was called
- Microsoft-Windows-Security-Auditing Event ID 4674: An operation was attempted on a privileged object
- Microsoft-Windows-Security-Auditing Event ID 4688: A new process has been created, TokenElevationType field
Source: Windows SDK, msobjs.dll message table (Windows 11 25H2, build 26100)