Special Logon

Windows 10 Windows 7 Windows 8 Windows 8.1 Windows 11 Security User Activity

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

A special logon indicates that a user or process with elevated or administrator privileges has logged onto the system. This log is recommended under HIPAA and PCI DSS for compliance and is recommended by the NSA Event Forwarding Guidance and JPCERT/CC.

View Logs

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4672'} -MaxEvents 1 | Format-List

Check Logging Status

auditpol /get /subcategory:"Special Logon"

Disable Logging

auditpol /set /subcategory:"Special Logon" /Success:Disable /Failure:Disable

Enable Logging

auditpol /set /subcategory:"Special Logon" /Success:Enable /Failure:Enable

Language: Powershell

Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Recommended

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

To view this log in the Event Viewer, open the event viewer and navigate to the Windows Logs heading and then the Security Tab. From here, filter the log for the ID 4672.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4672'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4672)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor