4703 A user right (token privilege) was adjusted
Written when an account’s token privileges are enabled or disabled. It captures dynamic toggling of privileges, but it is extremely high-volume and needs tuning to operate.
Overview
The subcategory is Audit Authorization Policy Change. It is generated when a privilege (such as SeShutdownPrivilege, a right enabled only at the moment it is needed) is toggled on or off in a specific account’s token. From Windows 10 on, it is also logged by applications/services that dynamically adjust token privileges (for example, Configuration Manager’s WMI queries generate a large number of 4703 events under the name svchost.exe).
How it is triggered
- Enabling/disabling of token privileges via the
AdjustTokenPrivilegesAPI and similar. - It occurs frequently in normal OS and application activity too.
Security review points
- Dynamic privilege adjustment is mostly legitimate. Still, if an unexpected process or account enables a strong privilege such as
SeDebugPrivilege, suspect preparation for credential theft or privilege escalation. - Together with special-privilege logon 4672 and privilege use 4673 / 4674, view it as the flow of granting, enabling, and using a strong right.
Notes for log review
- It is a very high-volume event. As noted, it explodes with tools like Configuration Manager, so it is practical to either disable this audit (Success for Authorization Policy Change) or filter heavily in the SIEM.
- To avoid being swamped by volume, detect on the pairing of a notable privilege (such as
SeDebugPrivilege) and a non-standard process.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account whose privileges were adjusted |
Enabled Privileges / Disabled Privileges | The privileges enabled or disabled |
Process Name | The process that performed the adjustment |