windows-itpro-docs
windows-itpro-docs copied to clipboard
Incorrect event description 4688
According to the description in the documentation** of event 4688 A new process has been created - TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
However in reality (Windows 7, Windows 10) when a regular user (who is ONLY a member of the users group) starts a process then events 4688 with TokenElevationTypeDefault (1) are generated. The UAC is enabled and the user is not an built-in Administrator or even a member of the local Administrators group.
Question: how this could happen - an ordinary regular user cannot have a full token. This description of the event in the documentation does not allow to properly analyze incidents related to this event and to make cyber investigations. **https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 5eca37ef-510b-52ec-ed07-2fb4a2d307dc
- Version Independent ID: c4977b85-a93a-119d-3010-b6148c3421f0
- Content: 4688(S) A new process has been created. (Windows 10) - Windows security
- Content Source: windows/security/threat-protection/auditing/event-4688.md
- Product: m365-security
- Technology: windows-sec
- GitHub Login: @Dansimp
- Microsoft Alias: dansimp
@MValiukh - I have gone through your query but this is something that is not possible. The UAC cannot be enabled. I have tested the same on a PC where the user account is not an admin account but it shows the UAC as disabled.
@e0i - FYI & A Please.
Hi.
I don't really understand what UAC is being referred to in the event description.
Is UAC enabled on the operating system? Or is the UAC Virtualization turned on in relation to a specific user?
I had a globally enabled UAC during testing.
But UAC Virtualization in relation to a specific user is disabled.
What are we talking about then? There is no mention of “UAC Virtualization“ in the event description - it just says UAC everywhere.
@MValiukh - What was the use-case so that can help me to get a clear idea of where it comes from?
@joinimran I don't fully understand what you are asking.
@MValiukh - I wanted to understand what is was the scenario that you were using this event ID and its related information and the impacts it is creating on the investigation you were doing. This may help me to look into this from a different angle.
@joinimran Briefly, the issue is as follows: during cyber investigations and also when analyzing incidents on SIEM systems, if eventIDs 4688 (TokenElevationTypeDefault (1) and user not built-in default admin -500) are detected, we conclude (based on the documentation description) that the global UAC has been disabled on the particular Windows host. This is at least inconsistent with best practice Windows operating system settings and increases the risk of adversaries gaining elevated process access. These conclusions have implications for further investigation and its results. But the reality is that UAC is actually enabled globally on the host and we are making the wrong conclusions from the infrastructure security analysis. I think that if the documentation refers to UAC Virtualization then this should be mentioned, because the analysis and conclusions all refer to https://docs.microsoft.com.
Ok, I understand your point here. Can you please share what changes should be made in the document so that it can reflect the correct information.