Event 4673


Event 4673 is an Windows Security Log Event within the Microsoft Windows Logging system indicating that the specified user exercised the user right specified in the Privileges field.

The Windows Logon fields are used to determine details on the logging event

Unfortunately, Microsoft has overloaded these privileges so that each privilege may govern your authority to perform many different operations and which privilege is required for which operations is not well documented. Therefore seeing that a privilege was exercised doesn't really tell you much. In Windows Server 2008 this has been improved with better information in the Server: and Service Name: fields.
In general though, Ldapwiki still classifies these events as "noise"
Microsoft admits: "These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred."

Note: Event 4673 and 4674 do not log any activity associated with Logon Rights such as the SeNetworkLogonRight. Do not confuse events Event 4673 and 4674 with events 4717 and 4718 which document rights assignment changes as opposed to the exercise of rights which is the purpose of events Event 4673 and 4674.

More Information#

There might be more information for this subject on one of the following: ...nobody