Monitoring Windows 10 event logs is one of the best ways to detect malicious activity on your network. Which event IDs should you watch? These are the most important types of log events to look for and what they can tell you.
Windows security event log ID 4688
Event 4688 documents each program a computer executes, its identifying data, and the process that started it. Several event 4688s occur on your system when you log into a system. For example, Session Manager Subsystem (SMSS.exe) launches at login and event 4688 is logged. In addition, the logged token elevation type shows what user rights are associated with the program. As noted in Randy Franklin Smith’s Windows security blog, these tokens showcase the account rights.
- %%1936 – Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control (UAC) is disabled or if the user is the built-in administrator account or a service account.
- %%1937 – Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when UAC is enabled and the user chooses to start the program using “Run as administrator”. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the administrators group.
- %%1938 – Type 3 is the normal value when UAC is enabled and a user simply starts a program from the Start menu. It’s a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when the application does not require administrative privilege and the user does not choose to start the program with “Run as administrator”.