4696 A primary token was assigned to process
Written when a process runs using an access token other than the current one. It indicates running as a different user, starting a service, and so on, but it is deprecated from Windows 7 / 2008 R2 onward.
Overview
The subcategory is Audit Process Creation. It was generated whenever a process ran with a token different from the current access token, such as a UAC-elevated token, RUN AS as a different user, a scheduled task with a defined user, or a service. However, it is deprecated from Windows 7 / Windows Server 2008 R2 onward and is effectively superseded by later mechanisms (the token information in 4688 and 4624).
How it is triggered
- Running a process with a different token (UAC elevation, RUN AS, a user-defined scheduled task, a service, and so on).
- It is essentially not used on newer OSes.
Security review points
- On older OSes it was material for catching process execution under another user’s rights. In current environments, look at the equivalent angle through 4688 (process creation and token elevation type) and 4672 (special-privilege logon).
- When analyzing legacy environment logs, reference it as a clue to different-token execution.
Notes for log review
- It is a deprecated event that basically does not appear on current Windows. Use 4688 as the primary source in new detection designs.
- It only carries meaning when encountered in forensics of older systems.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that assigned the token |
New Token Information | Information on the assigned token |
Process Name | The target process |